Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to Filter data from result?

Akmal57
Path Finder
‎08-27-2023 11:00 PM

We have a set of data which populate host and ip

Eg.

Host                  IP                            count

ESDBAS         10.10.10.10              1

ASFDB             192.0.0.0                   1

Query:

index=a  sourcetype=b
| stats values(ip) as IP count by host

i need the result which any hostname that contain DB should come out on another field

eg:

Host                  IP                            count      Environment

ESDBAS         10.10.10.10              1                      DB

ASFDB             192.0.0.0                   1                      DB

Please assist me on this

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 12:24 AM

Hi @Akmal57,

let me understand: you want also to count the occurrences of the word "DB" in the hostnames?

If this is your requirement, you have two solutions:

you could use the rex command before the stats, somehing like this:

index=a sourcetype=b
| rex field=host "(?<Environment>DB)"
| stats values(ip) AS IP values(Environment) AS Environment count BY host

or the eval command:

index=a sourcetype=b
| eval Environment=if(match(host,"DB"),"DB","")
| stats values(ip) AS IP values(Environment) AS Environment count BY host

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2023 12:24 AM

Hi @Akmal57,

let me understand: you want also to count the occurrences of the word "DB" in the hostnames?

If this is your requirement, you have two solutions:

you could use the rex command before the stats, somehing like this:

index=a sourcetype=b
| rex field=host "(?<Environment>DB)"
| stats values(ip) AS IP values(Environment) AS Environment count BY host

or the eval command:

index=a sourcetype=b
| eval Environment=if(match(host,"DB"),"DB","")
| stats values(ip) AS IP values(Environment) AS Environment count BY host

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Akmal57
Path Finder
‎08-28-2023 07:41 PM

Hi @gcusello , 

Thank you very much for your assist.

What you understand is correct, both of your query works perfectly fine as expected.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out &gt;&gt; Kudos to all the ...