Why stats command return only one specified platfo...

kacel · ‎07-01-2019

| inputlookup Obso_Inventory.csv | eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", Composant="TAP", "Anti-Intrusion")      | rename Compo as Composant | search Composant="Firewall"  Editeur="*" Metier="*" Platform="*" Parent="*"
| stats count  as allFW , dc(Parent) as VSX_Instance

renjith_nair · ‎07-01-2019

@kacel,

Try adding a by clause in your stats

| inputlookup Obso_Inventory.csv 
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", 
                  Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access",
                  Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", 
                  Composant="TAP", "Anti-Intrusion") 
| rename Compo as Composant 
| search Composant="Firewall" Editeur="*" Metier="*" Platform="*" Parent="*"
| stats count as allFW , dc(Parent) as VSX_Instance by Platform

---
What goes around comes around. If it helps, hit it with Karma 🙂

Why stats command return only one specified platform field and not all of them

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Why stats command return only one specified platform field and not all of them

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk