help on append command

jip31 · ‎02-12-2019

hi

The request below count a number of error events by host

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| dedup host
| stats count(host) as host

I want to match this count with the serach below in order to have the number of error events by model

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| dedup host 
| append 
    [ search index="aix" sourcetype="x" 
    | rex "Model=(?<model>.*)" ] 
| stats values(model) as Model by host 
| stats count(host) as host by Model 
| dedup host

So I do this but it doesn't returns the same number of events that there is in the first search
So my request is not good....
Could you help me on this append command please???

woodcock · ‎03-02-2019

Try this:

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host
| rename COMMENT AS "The stuff below converts your 5 rows into 1"
| eval hosts="counts"
| xyseries hosts host count

woodcock · ‎02-12-2019

First of all, your first search does NOT count number of error events by host, but this does:

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

To show the number of error events by model, try this:

(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
| rex "Model=(?<model>.*)"
| stats values(model) AS Model count(eval(index=x)) AS count BY host
| mvexpand Model
| stats sum(count) AS count BY Model

jip31 · ‎02-12-2019

hi

OK for :

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

but if I want to have the result (five events) in a single value what i have to do

concerning :

 (index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
2. | rex "Model=(?<model>.*)"
3. | stats values(model) AS Model count(eval(index=x)) AS count BY host
4. | mvexpand Model
5. | stats sum(count) AS count BY Model

it doesn't works
I have more than 2000 events...
if in the request below I have 5 events I need to have also 5 events in the second query but i want the details by model

 index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

jip31 · ‎02-12-2019

when I do this its almost what i want but it seems to count not the number of host by model but only to count each model (so I have always model=a =1, model b=1, model c=1)

nawneel · ‎02-12-2019

index="x" sourcetype="x" ConfigManagerErrorCode=28 
 | stats dc(host) as host

for getting hosts

and as suggested by woodcock

(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
 | rex "Model=(?<model>.*)"
 | stats values(model) AS Model count(eval(index=x)) AS count BY host
 | mvexpand Model
 | stats sum(count) AS count BY Model

this should work

jip31 · ‎02-12-2019

which index I have to add in count(eval(index=x))??

help on append command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

help on append command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!