Dear All,
I am new to Splunk and got a request to create dashboard on Splunk. Criteria is to collect/group linkdown traps and need to have a count based on interface.
So example output needs to be like
Host --- Interface --- Count
Right now I am able to get Host --Count, but need to edit the search such that I get a count based on Interface and not host. Hope this is clear.
Kind Regards
Try this :
<your search> |stats count,latest(Host) as Host by Interface
This can be modified to your final requirement
Try this :
<your search> |stats count,latest(Host) as Host by Interface
This can be modified to your final requirement
Hey Thank you.. just want to update the forum .. I got it..
index=XXX sourcetype="YYY" "Server Interface Down" | rex "(?i) Interface Down on (?P[^ ]+)" | rex "on [^ ]+ - (?P[^\"]+)" | stats count,latest(Description) as Description by host,Interface | search count >=100 | sort - count
Hi Thank you.. well using the below I get Interface--count--host any chance I modify the output such as I can see host--interface--count
Thanks for your time
it worked but with the below command
index=XXX sourcetype="YYY" "Server Interface Down" | head 10000 | rex "(?i) Interface Down on (?P[^ ]+)" | stats count,latest(host) as host by INTERFACE
Thank you Renjith 🙂
Just replace latest(host) by values(host) to display all hosts in case there are multiple values