- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Return the Count of events divided by 2
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty new at this so I apologize if the question seems stupid.
I have a printer that sends syslogs to Splunk, and whenever the printer processes a job, it sends 2 identical items to Splunk. It's simple enough to get the total count, but dividing it in half is driving me crazy.
source = "hp printing" | chart count by host
Because of how the printer sends its logs, whatever the above outputs is double the actual number of print jobs the device has processed. I've tried so many combinations and just can't seem to figure it out.
source="hp printing" "printing"
| chart eval(count/2) by host
Above returns "Error in 'chart' command: The eval expression has no fields: 'count/2'."
source="hp printing" "printing"
| eval print_jobs = count/2
| chart eval(print_jobs) by host
Above returns "Error in 'chart command: The eval expression has no fields: 'print_jobs'."
I feel like this should be a simple task but just can't seem to nail it down.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like I found a solution, maybe there's a better way, but this worked:
index=print "printing"
| fieldformat count=count/2
| chart count- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like I found a solution, maybe there's a better way, but this worked:
index=print "printing"
| fieldformat count=count/2
| chart count- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ibanez450,
the easiest way is to use the stats command instead chart:
source="hp printing" "printing"
| stats eval(print_jobs) AS count by host
| eval print_jobs = count/2If the duplicated events have the same timestamp you could also use dedup before charting:
source="hp printing" "printing"
| dedup host _time
| chart eval(print_jobs) AS print_jobs by hostOne final hint: use always index in your main search: your searches will be faster.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response, but neither of these worked.
The first one returned: "Error in 'stats' command: The argument 'eval(print_jobs)' is invalid. The second one returned: Error in 'chart' command: The eval expression has no fields: 'print_jobs'.
I had tried the dedup command, but unfortunately the timestamp on all of them is the same "none" and the _time is different on all of them so that just returns all the events instead.
Based on another thread in the forum, I've also tried:
index=print "printing" host=*
| eval print_job = count/2
| stats count(print_job)But that just returns zero... So still stuck unfortunately.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
