Hey everyone, simple question.
Is it possible to append or use a subsearch to return a count?
Here is how I'm currently trying to do it, but its blanking all of the other fields as soon as I add the stats command:
sourcetype="AS-CDR" OR sourcetype="XS-CDR" Type!=Interim
|rex field=Local_Call_ID "(?P<Local_Call_ID_Trimmed>\d+)(?=:)"
|rex field=Related_Call_ID "(?P<Related_Call_ID_Trimmed>\d+)(?=:)"
|stats count by Local_Call_ID_Trimmed
|rename count as Related_Calls
|table Start_Time Answer_Time Answer_Indicator Release_Time Termination_Cause_Description Local_Call_ID_Trimmed Related_Call_ID_Trimmed Service_Provider Type User_Number Calling_Number Called_Number Direction User_Time_Zone host Related_Calls
There are two ways to do it. Either use eventstats
, or use stats as:
... | stats count as Related_Calls
first(Start_Time) as Start_Time
first(Answer_Time) as Answer_Time
first(Answer_Indicator) as Answer_Indicator
...
by Local_Call_ID_Trimmed
But this assumes that you want to collapse all the other fields by the Local_Call_ID_Trimmed
field. It's not clear to me which way is correct for your data.
There are two ways to do it. Either use eventstats
, or use stats as:
... | stats count as Related_Calls
first(Start_Time) as Start_Time
first(Answer_Time) as Answer_Time
first(Answer_Indicator) as Answer_Indicator
...
by Local_Call_ID_Trimmed
But this assumes that you want to collapse all the other fields by the Local_Call_ID_Trimmed
field. It's not clear to me which way is correct for your data.
Just tried it using eventstats, works like a bell. Thank you! I'll have to play with this a bit more.
Basically this is for a search which will run through all calls/events from the past 5 minutes. As each one gets looked at by splunk, I want it to print a table with the details for that individual event. I also want it to show the number of other events where the Local_Call_ID_Trimmed number appears, and place that into a field in the table results. I don't need any of the fields from the related records, just the number of related records.