Splunk Search

New user - trying to work out a report - Followup questions

Explorer

Appreciate the answer to my original question, but it leads me to a couple of additional issues:

0) As I write this, it was suggested that I tag it or link it back to the original question, and I don't see how to do either of those things... Help??!

1) The following query seems to work:

index="netcool" | stats count by tgtHostname, supportGroup | where count > 50 | stats count(tgtHostname) by supportGroup

This produces a list of support groups and a column which counts the number of hosts that have 50+ events associated with them. I can create a pie chart report out of this. So far so good...

The original suggested query was this:

[Search string] | stats count as EventCount by host, SupportGroup | where count > 100 | stats count(host) by SupportGroup

and my first question is - what does the 'as EventCount' mean, and is that supposed to be literal text or does EventCount correspond to one of my event columns? When I include that text, the query simply does nothing...

2) The query above generates 2 columns of data - I would like to display a third column, which would contain the sum total of all the events associated with the hosts in the given host group.

So instead of

SG_001 6
SG_002 4
SG_003 10

where the first row shows that support group SG_001 has 6 hosts with 50+ events, I'd like to generate

SG_001 6 200
SG_002 4 1000
SG_003 10 900

where the first row shows that SG_001 has 6 hosts with 50+ events, and those 6 hosts have a total of 200 events associated with them...

I'm working out the query language, but I would appreciate any help you can give me on this as I get started...

Thanks in advance,

nbc

Tags (2)
0 Karma
1 Solution

Communicator

When you do a | stats count as EventCount it will rename count to EventCount.

Believe that search should have looked like this to work:

[Search string] | stats count as EventCount by host, SupportGroup | where EventCount > 100 | stats count(host) by SupportGroup

If the rename to EventCount was not there it would have worked the first time. Could have been a typo.

Travis.

View solution in original post

0 Karma

Communicator

When you do a | stats count as EventCount it will rename count to EventCount.

Believe that search should have looked like this to work:

[Search string] | stats count as EventCount by host, SupportGroup | where EventCount > 100 | stats count(host) by SupportGroup

If the rename to EventCount was not there it would have worked the first time. Could have been a typo.

Travis.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee
0 Karma