Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If I have two different searches without common fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-31-2016
10:35 AM
I got a strange situation here. I have two different searches as follows.
search 1:
index=* [ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| stats values(source) as sources by host
Which displays all the Windows hosts and sources of them for all the indexes.
And I have another search as follows which displays the results including Windows and also other operating systems which satisfies the same search condition.
search 2:
index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(sources) as sources by host
Now I'm looking to write a search which displays the search 2 results from only the Windows hosts..I'm not sure if we have to include the search 1 for getting required result?
Any suggestions would be great and points will be awarded for the best answer
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
10:38 AM
Try this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
10:38 AM
Try this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-31-2016
10:49 AM
what if I want to display all the sourcetypes too for each host besides the sources?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
11:11 AM
You can add that too. Like this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources values(sourcetype) as sourcetypes by host
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
