hi
The request below count a number of error events by host
index="x" sourcetype="x" ConfigManagerErrorCode=28
| dedup host
| stats count(host) as host
I want to match this count with the serach below in order to have the number of error events by model
index="x" sourcetype="x" ConfigManagerErrorCode=28
| dedup host
| append
[ search index="aix" sourcetype="x"
| rex "Model=(?<model>.*)" ]
| stats values(model) as Model by host
| stats count(host) as host by Model
| dedup host
So I do this but it doesn't returns the same number of events that there is in the first search
So my request is not good....
Could you help me on this append command please???
Try this:
index="x" sourcetype="x" ConfigManagerErrorCode=28
| stats count BY host
| rename COMMENT AS "The stuff below converts your 5 rows into 1"
| eval hosts="counts"
| xyseries hosts host count
First of all, your first search does NOT count number of error events by host
, but this does:
index="x" sourcetype="x" ConfigManagerErrorCode=28
| stats count BY host
To show the number of error events by model, try this:
(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
| rex "Model=(?<model>.*)"
| stats values(model) AS Model count(eval(index=x)) AS count BY host
| mvexpand Model
| stats sum(count) AS count BY Model
hi
OK for :
index="x" sourcetype="x" ConfigManagerErrorCode=28
| stats count BY host
but if I want to have the result (five events) in a single value what i have to do
concerning :
(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
2. | rex "Model=(?<model>.*)"
3. | stats values(model) AS Model count(eval(index=x)) AS count BY host
4. | mvexpand Model
5. | stats sum(count) AS count BY Model
it doesn't works
I have more than 2000 events...
if in the request below I have 5 events I need to have also 5 events in the second query but i want the details by model
index="x" sourcetype="x" ConfigManagerErrorCode=28
| stats count BY host
when I do this its almost what i want but it seems to count not the number of host by model but only to count each model (so I have always model=a =1, model b=1, model c=1)
(index="x" sourcetype="WMI:PeriphIssue" ConfigManagerErrorCode=28)
| dedup host
| append
[ search index="x" sourcetype="WMI:ModelPC" NOT host=E*
| rex "Model=(?
| stats values(model) as Model by host ]
| stats count(host) as host by Model
index="x" sourcetype="x" ConfigManagerErrorCode=28
| stats dc(host) as host
for getting hosts
and as suggested by woodcock
(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
| rex "Model=(?<model>.*)"
| stats values(model) AS Model count(eval(index=x)) AS count BY host
| mvexpand Model
| stats sum(count) AS count BY Model
this should work
which index I have to add in count(eval(index=x))??