Splunk Search

add a count column in the table

ringbbg
Engager

Hi All.

I want to add an additional column in the table to display how many times a particular host in the set time frame had a distinct hit based on the search query below. Can anyo0ne advise how I can add it to the table?

    <search>
      <query>index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | dedup syslog_message | table _time, host, ip, state, syslog_message | sort 0 -_time</query>
      <earliest>$_time.earliest$</earliest>
      <latest>$_time.latest$</latest>
    </search>
    <option name="count">20</option>
Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | stats count max(_time) AS _time BY host ip state syslog_message | sort 0 -_time

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | stats count max(_time) AS _time BY host ip state syslog_message | sort 0 -_time
0 Karma

ringbbg
Engager

thanks! is there a way to rearrange the order of the column? with the syntax above, the _time column is at the rightmost part of the table. I would like it to be in the left most side, or the first column. Thanks

0 Karma

woodcock
Esteemed Legend

Just add | table Your Preferred Order Of Field Names Here. Be sure to click Accept to close the question if the answer worked for you.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...