Splunk Search

how to take the values from nth field

thambisetty
SplunkTrust
SplunkTrust

Hi all,
Below is my search...
source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time

_time↕ count↕

2014-03-27 24

2014-03-26 21790

2014-03-25 32439

2014-03-24 4017

2014-03-23 1336

2014-03-22 334

2014-03-21 441

2014-03-20 1540

2014-03-19 1134

2014-03-18 1874

2014-03-17 1363

2014-03-16 760

2014-03-15 261

2014-03-14 253

2014-03-13 698

2014-03-12 684

2014-03-11 541

2014-03-10 473

2014-03-09 425

Now what I want to do is I want add the count after 10 values it means from 2014-03-17 to ending so please help me.........

————————————
If this helps, give a like below.
Tags (1)
0 Karma

linu1988
Champion

if the above two suggestions are not okay for you, they use a where clause to have the dates greater than 17th!! why bother about all the top 11 records or 11th record!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time | streamstats count as sno | eval sno=if(sno>10,11,sno) | stats first(_time) as _time sum(count) as count by sno | fields - sno
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Just to be sure, The output should be like this

Date##Signature<=4##Signature>=5and<=10##Signature>=11
04-30##Count(04-30 to 04-27)##Count(04-26 to 04-22)##Count(before 04-22)

This should be done for just today or for every day, get data for past 5, 6-10 and before 10 days? Signature is a field in your logs?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

The output which i Mentioned in the above is for only one day(2014-03-27).
Now my question is i want to make the trend for before 10 days including today also..it means today(30/04/2014) to 21/04/2014---(from today to past 10 days)..
Expected Output:
Date Signature<=4 "Signature>=5and<=10" "Signature>=11"
2014-04-30 100 200 500
29
28
27
26
25
24
23
22
21

so i can make the trend....for the computer status report(this is the file where we store the status of computer details of entire domain)..
please help me................

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

as i mentioned in the above...
_time↕ count↕

2014-03-27 24

2014-03-26 21790

2014-03-25 32439

2014-03-24 4017

2014-03-23 1336

2014-03-22 334

2014-03-21 441

2014-03-20 1540

2014-03-19 1134

2014-03-18 1874

2014-03-11 541
i want to genarate report for first 4 days one group1,after 6 days group2,rest of as group3..
Expected Output:

Signature_Status Count

Signature <=4 count1(first 4days count)
Signature >=5 and <=10 count2(next 6 days count)
Signature >=11 count3(rest of days count)

————————————
If this helps, give a like below.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You want commulative sum after 10th value? If possible provide the expected output from the sample data you've shared.

You cant have syntax you mentioned in previous comment, but if you can tell your requirement with expected output, there may be some workarounds to get that.

thambisetty
SplunkTrust
SplunkTrust

and one more thing can write the code like below..
if(sno>=4,stats sum(count),if(sno>=5 and sno<=10),stats sum(count),if(sno>=11),stats sum(count))....
i think this should be understood by you please help me............

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

that is search for first 10 values right......?
i want to combine after 10 to last value....i dont want first 10 ok

————————————
If this helps, give a like below.
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could set your timerange accordingly to only search from March 17th and on.

Alternatively, you can add this to the end of your search:

... | head 11 | stats sum(count)

That will take the first eleven rows, March 27th to March 17th, and sum up their counts.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...