Solved: list eventccode and host

Huss54 · ‎02-01-2021

Hello,

I hope someone could help me out figuring out this one out. The core of what I am trying to do is get a list of all event codes in an index and source sorted on source to understand what is sending information if I am missing anything.

index=acg_eis_auth EventCode=* | dedup EventCode | fields EventCode
| stats count by EventCode

scelikok · ‎02-01-2021

Hi @Huss54,

Please try below;

index=acg_eis_auth EventCode=* 
| stats count by EventCode source host
| sort - count

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

richgalloway · ‎02-01-2021

Remove the dedup command. Deduplicating a field before counting that field means every value will have a count of 1.

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎02-01-2021

Hi @Huss54,

Please try below;

index=acg_eis_auth EventCode=* 
| stats count by EventCode source host
| sort - count

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Huss54 · ‎02-01-2021

Thank you so much that was exactly what i was looking 🙂

list eventccode and host

fields

lookup

metadata

stats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?