Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me count the values of two different fields?

jip31
Motivator
‎10-17-2018 07:10 AM

Hello

I use the code below in order to count the number of hosts by OS and by build. But, it doesn't work.
Could you help me please??

host=*
index="windows" sourcetype="wineventlog" 
SourceName="*" Type="Critique" OR Type="*"  

| dedup host   

| stats count by host   

| join host [search index=windows sourcetype=winregistry  key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion" 
 OR 
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
 |eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null), 
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null) 

| stats values(data) as OS by host]
| stats count values(host) by OS, Build

| rename count as Total
| table OS Build Total
| sort -Total limit=10
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2018 07:25 AM

Give this a try

host=*
 index="windows" sourcetype="wineventlog"  SourceName="*" Type="Critique" OR Type="*"  
  | dedup host    
 | stats count by host  
 | append [search index=windows sourcetype=winregistry  key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion" 
  OR 
 key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
  |eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null), 
 Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null) 
 | stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
 | sort -Total limit=10

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2018 07:34 AM

i think
| stats count values(host) by OS, Build
is wrong..

try -
index=* | stats values(host) as HostCount by OS Build

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2018 07:25 AM

Give this a try

host=*
 index="windows" sourcetype="wineventlog"  SourceName="*" Type="Critique" OR Type="*"  
  | dedup host    
 | stats count by host  
 | append [search index=windows sourcetype=winregistry  key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion" 
  OR 
 key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
  |eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null), 
 Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null) 
 | stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
 | sort -Total limit=10
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-17-2018 11:56 PM

thanks a lot it s perfect

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...