Why stats command return only one specified platfo...

kacel · ‎07-01-2019

| inputlookup Obso_Inventory.csv | eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", Composant="TAP", "Anti-Intrusion")      | rename Compo as Composant | search Composant="Firewall"  Editeur="*" Metier="*" Platform="*" Parent="*"
| stats count  as allFW , dc(Parent) as VSX_Instance

renjith_nair · ‎07-01-2019

@kacel,

Try adding a by clause in your stats

| inputlookup Obso_Inventory.csv 
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", 
                  Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access",
                  Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", 
                  Composant="TAP", "Anti-Intrusion") 
| rename Compo as Composant 
| search Composant="Firewall" Editeur="*" Metier="*" Platform="*" Parent="*"
| stats count as allFW , dc(Parent) as VSX_Instance by Platform

---
What goes around comes around. If it helps, hit it with Karma 🙂

Why stats command return only one specified platform field and not all of them

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Why stats command return only one specified platform field and not all of them

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!