Here is my search command:
index="vsapi" | stats dc(guid) as count by os_name, blob_virusinfo_detectionname | sort -count | sort +os_name
thanks
I don't understand your second question, but I think the first one should be pretty easy to do. The built-in top
search command supports a by-clause. You can do a | top limit=50 blob_virusinfo_detectionname by os_name
(Or whatever other field you with to count the top 50 of by OS). http://www.splunk.com/base/Documentation/latest/SearchReference/Top
I don't understand your second question, but I think the first one should be pretty easy to do. The built-in top
search command supports a by-clause. You can do a | top limit=50 blob_virusinfo_detectionname by os_name
(Or whatever other field you with to count the top 50 of by OS). http://www.splunk.com/base/Documentation/latest/SearchReference/Top
hi, thanks your reply,
it have show limit 50 for each os_name, but it's not the "top" 50 for count. I need top 50 dc(guid) as count for each os_name.
about second question, I mean when setting seacrh & report, it will send csv file in email, how do I add the query date in filename? (ex: query interval -7d@d -> @d)
regards