Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search string query

francly
Explorer
‎09-25-2017 07:37 PM

Hi I can use the search string to get the statistics output

index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3

Name Count
SRV1 800
SRV2 600
SRV6 700

Question is how I continue use string to query each of the output "Name" to display a new field "RULE" under "Name"

Example

index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by RULE | sort -count

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-27-2017 10:48 PM

You can try something like this...

index=data sourcetype="data1" host=HOSTA Name=SRV1 
| stats count by NAME RULE 

| rename COMMENT as "Chew all the records up again to get the top 3 names"
| appendpipe [| stats sum(count) as totcount by NAME | sort 3 - totcount]

| rename COMMENT as "Roll the top 3 totcount onto all records with that NAME, then drop all records without totcount"
| eventstats values(totcount) as totcount by NAME
| where isnotnull(totcount)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2017 02:31 AM

Hi francly,
I'm not sure to have understood you request: do you want to create a new query or use the same to have a subdivision of RULES by NAMEs?

If the first you already have the solution.

If the second you can use 

index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by NAME RULE | sort -count

and take the first 3.

Remeber that if you want a stats by one field (e.g. stats count by NAME) it's easier to use top command.

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-26-2017 02:50 AM

Hi Giuseppe,

I want to know based on my output

index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3

Name Count
SRV1 800
SRV2 600
SRV6 700

it's any string of script will automatically take "Name" from the output in this 3 name or potentially more name to get the top "Rule"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2017 04:23 AM

Hi francly,
you can add values(RULE) AS RULE to have a list of all rules for each host, is it what you like?
something like this

index=data sourcetype="data1" host=HOSTA 
| stats values(RULE) AS RULE count by NAME 
| sort -count 
| head 3

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-26-2017 08:34 PM

Hi Giuseppe, it's possible to break down the count for all the rule? right now I'm only getting 1 rule per Name

Name Total Count
SRV1 800
Rule1 500
Rule2 200
Rule3 100

SRV2 600
SRV6 700

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-27-2017 04:02 AM

Hi francly,
try this

index=data sourcetype="data1" host=HOSTA 
| stats count by NAME, RULE
| search [ search 
   index=data sourcetype="data1" host=HOSTA 
   | stats count by NAME 
   | head 3 
   | fields NAME 
   ]
| eventstats sum(count) as rank by NAME
| appendpipe  [ stats values(rank) AS rank sum(count) AS Total by NAME ] 
| sort 0 -rank NAME -Total -count
| fields - rank
| eval NAME=if(Total>0,NAME,"")

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-27-2017 08:32 PM

Hi Giuseppe,

I getting this not relevant output

alt text

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2017 12:44 AM

Sorry I cannot see your output.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...