Solved: list eventccode and host

Huss54 · ‎02-01-2021

Hello,

I hope someone could help me out figuring out this one out. The core of what I am trying to do is get a list of all event codes in an index and source sorted on source to understand what is sending information if I am missing anything.

index=acg_eis_auth EventCode=* | dedup EventCode | fields EventCode
| stats count by EventCode

scelikok · ‎02-01-2021

Hi @Huss54,

Please try below;

index=acg_eis_auth EventCode=* 
| stats count by EventCode source host
| sort - count

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

richgalloway · ‎02-01-2021

Remove the dedup command. Deduplicating a field before counting that field means every value will have a count of 1.

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎02-01-2021

Hi @Huss54,

Please try below;

index=acg_eis_auth EventCode=* 
| stats count by EventCode source host
| sort - count

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Huss54 · ‎02-01-2021

Thank you so much that was exactly what i was looking 🙂

list eventccode and host

fields

lookup

metadata

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!