Splunk Search

how to compare compare stats counts and highlight in new field ?

corehan
Explorer

Hello dear,

I want to compare stats count for same host and counts are not equal than create a new field and put "!" or whatever.

Hostname | Interface | Status | count | Alert

Scenario 1 ( clear, no alert )
HostA | InterfaceA | InterfaceA-up | 8
HostA | InterfaceA | InterfaceA-down | 8 |

Scenario 2 (Alert)
HostA | InterfaceA | InterfaceA-up | 8
HostA | InterfaceA | InterfaceA-down | 9 | !!!!!!!!!!!!!!!

Regards.

Tags (1)
0 Karma

corehan
Explorer

Thank you. But i have already stats count section and i can't combined with this new future;

Existing stats count;

|stats count by Date,host_name,ifName,Status |sort -count -ifName -Status -host_name

Regards:

0 Karma

to4kawa
Ultra Champion

But i have already stats count section
so, you can't combine .

0 Karma

corehan
Explorer

I must ses Hostname,Interface and Status at the same time, Interface and Status not enough for me :disappointed_face:

0 Karma

to4kawa
Ultra Champion

I see, I'm sorry to waste your time.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...