Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

need to create separate field which will show rank based on event Count

shivareddysompa
Explorer
‎05-29-2020 12:10 AM

ComputerName Events Rank

    ABC     100        1
    BCD 200        2
    CDE     300        3

i need to create Rank by Events

Tags (1)
0 Karma
Reply

shivareddysompa
Explorer
‎05-29-2020 02:32 AM

my intention is highest number of event has to hold 1 rank then following and if events are same then rank should be same

0 Karma
Reply

shivareddysompa
Explorer
‎06-10-2020 10:44 PM

anyone is there to help on above request?

0 Karma
Reply

493669
Super Champion
‎05-29-2020 01:21 AM

@shivareddysompalle,
Use first sort then streamstats command to calculate rank-

...|sort Events| streamstats count AS Rank

Below is using sample data-

|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort Events| streamstats count AS Rank
0 Karma
Reply

493669
Super Champion
‎05-31-2020 10:00 PM

@shivareddysompalle,
Try below-

|makeresults|eval ComputerName ="abc", Events ="200"
  |append[|makeresults|eval ComputerName ="bcd", Events ="100"]
   |append[|makeresults|eval ComputerName ="fcd", Events ="200"]
  |append[|makeresults|eval ComputerName ="def", Events ="300"]|sort - Events | streamstats current=f window=1 values(Events) as prev | eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled
0 Karma
Reply

shivareddysompa
Explorer
‎06-02-2020 10:15 PM

used same but not worked .
i can't share my query since it is organisational data .

0 Karma
Reply

493669
Super Champion
‎06-02-2020 10:33 PM

Can you share some sample data and your query by masking confidential data.
since as per your data from question it should work.

0 Karma
Reply

shivareddysompa
Explorer
‎06-02-2020 10:41 PM 
    COmputerName  Countofissues
    ABC     10
    BCD     22
    DCE     32

my query is like
eventstats dc(Computername) as Countofissues by Computername

i need to assign rank based on Countofisues . Countofissues will change dynamically by time

0 Karma
Reply

493669
Super Champion
‎06-02-2020 10:53 PM

Try below without using above eventstats command-

...|table ComputerName Countofissues|sort - Countofissues | streamstats current=f window=1 values(Countofissues) as prev | eval Rank=if(prev=Countofissues,0,1) | accum Rank|table ComputerName Countofissues Rank
0 Karma
Reply

shivareddysompa
Explorer
‎06-02-2020 10:58 PM

how i will get Count of issues without eventstats ?
if i use stats no issues are found

0 Karma
Reply

493669
Super Champion
‎06-02-2020 11:01 PM

use-

stats count as Countofissues by ComputerName
0 Karma
Reply

shivareddysompa
Explorer
‎06-02-2020 11:09 PM

even i have applied rank is same like 1 2 3

0 Karma
Reply

shivareddysompa
Explorer
‎06-02-2020 11:15 PM

my query is below:

index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled

0 Karma
Reply

493669
Super Champion
‎06-02-2020 11:28 PM

Try below-

index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort 0 - issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=issueCount,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled
0 Karma
Reply

shivareddysompa
Explorer
‎06-03-2020 12:00 AM

got results like

issueCount Rank
2 1
2 2
1 3
1 4

need the rank like
issueCount Rank
2 1
2 1
1 2
1 2

0 Karma
Reply

shivareddysompa
Explorer
‎06-04-2020 03:56 AM

@woodcock

please help on this

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...