cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ibanez450
Explorer
Member since: ‎04-10-2021
‎04-11-2021
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎04-10-2021
Activity Feed
View All

Re: Return the Count of events divided by 2

by in Splunk Search
‎04-11-2021 06:46 AM
‎04-11-2021 06:46 AM
Looks like I found a solution, maybe there's a better way, but this worked: index=print "printing" | fieldformat count=count/2 | chart count ... View more

Re: Return the Count of events divided by 2

by in Splunk Search
‎04-11-2021 05:51 AM
‎04-11-2021 05:51 AM
Thank you for the response, but neither of these worked. The first one returned: "Error in 'stats' command: The argument 'eval(print_jobs)' is invalid. The second one returned: Error in 'chart' command: The eval expression has no fields: 'print_jobs'. I had tried the dedup command, but unfortunately the timestamp on all of them is the same "none" and the _time is different on all of them so that just returns all the events instead. Based on another thread in the forum, I've also tried: index=print "printing" host=* | eval print_job = count/2 | stats count(print_job) But that just returns zero... So still stuck unfortunately. ... View more

Return the Count of events divided by 2

by in Splunk Search
‎04-10-2021 05:44 PM
‎04-10-2021 05:44 PM
I'm pretty new at this so I apologize if the question seems stupid. I have a printer that sends syslogs to Splunk, and whenever the printer processes a job, it sends 2 identical items to Splunk. It's simple enough to get the total count, but dividing it in half is driving me crazy. source = "hp printing" | chart count by host Because of how the printer sends its logs, whatever the above outputs is double the actual number of print jobs the device has processed. I've tried so many combinations and just can't seem to figure it out. source="hp printing" "printing" | chart eval(count/2) by host Above returns "Error in 'chart' command: The eval expression has no fields: 'count/2'." source="hp printing" "printing" | eval print_jobs = count/2 | chart eval(print_jobs) by host Above returns "Error in 'chart command: The eval expression has no fields: 'print_jobs'." I feel like this should be a simple task but just can't seem to nail it down. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-11-2021 10:07 AM