Splunk Search

how to compare compare stats counts and highlight in new field ?

corehan
Explorer

Hello dear,

I want to compare stats count for same host and counts are not equal than create a new field and put "!" or whatever.

Hostname | Interface | Status | count | Alert

Scenario 1 ( clear, no alert )
HostA | InterfaceA | InterfaceA-up | 8
HostA | InterfaceA | InterfaceA-down | 8 |

Scenario 2 (Alert)
HostA | InterfaceA | InterfaceA-up | 8
HostA | InterfaceA | InterfaceA-down | 9 | !!!!!!!!!!!!!!!

Regards.

Tags (1)
0 Karma

corehan
Explorer

Thank you. But i have already stats count section and i can't combined with this new future;

Existing stats count;

|stats count by Date,host_name,ifName,Status |sort -count -ifName -Status -host_name

Regards:

0 Karma

to4kawa
Ultra Champion

But i have already stats count section
so, you can't combine .

0 Karma

corehan
Explorer

I must ses Hostname,Interface and Status at the same time, Interface and Status not enough for me 😞

0 Karma

to4kawa
Ultra Champion

I see, I'm sorry to waste your time.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...