- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: need to create separate field which will show ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need to create separate field which will show rank based on event Count
ComputerName Events Rank
ABC 100 1
BCD 200 2
CDE 300 3
i need to create Rank by Events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my intention is highest number of event has to hold 1 rank then following and if events are same then rank should be same
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anyone is there to help on above request?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shivareddysompalle,
Use first sort then streamstats command to calculate rank-
...|sort Events| streamstats count AS Rank
Below is using sample data-
|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort Events| streamstats count AS Rank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shivareddysompalle,
Try below-
|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="fcd", Events ="200"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort - Events | streamstats current=f window=1 values(Events) as prev | eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
used same but not worked .
i can't share my query since it is organisational data .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share some sample data and your query by masking confidential data.
since as per your data from question it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
COmputerName Countofissues
ABC 10
BCD 22
DCE 32
my query is like
eventstats dc(Computername) as Countofissues by Computername
i need to assign rank based on Countofisues . Countofissues will change dynamically by time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below without using above eventstats command-
...|table ComputerName Countofissues|sort - Countofissues | streamstats current=f window=1 values(Countofissues) as prev | eval Rank=if(prev=Countofissues,0,1) | accum Rank|table ComputerName Countofissues Rank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how i will get Count of issues without eventstats ?
if i use stats no issues are found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use-
stats count as Countofissues by ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
even i have applied rank is same like 1 2 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my query is below:
index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below-
index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort 0 - issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=issueCount,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
got results like
issueCount Rank
2 1
2 2
1 3
1 4
need the rank like
issueCount Rank
2 1
2 1
1 2
1 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock
please help on this
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
