Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search string query

francly
Explorer
‎09-25-2017 07:37 PM

Hi I can use the search string to get the statistics output

index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3

Name Count
SRV1 800
SRV2 600
SRV6 700

Question is how I continue use string to query each of the output "Name" to display a new field "RULE" under "Name"

Example

index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by RULE | sort -count

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-27-2017 10:48 PM

You can try something like this...

index=data sourcetype="data1" host=HOSTA Name=SRV1 
| stats count by NAME RULE 

| rename COMMENT as "Chew all the records up again to get the top 3 names"
| appendpipe [| stats sum(count) as totcount by NAME | sort 3 - totcount]

| rename COMMENT as "Roll the top 3 totcount onto all records with that NAME, then drop all records without totcount"
| eventstats values(totcount) as totcount by NAME
| where isnotnull(totcount)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2017 02:31 AM

Hi francly,
I'm not sure to have understood you request: do you want to create a new query or use the same to have a subdivision of RULES by NAMEs?

If the first you already have the solution.

If the second you can use 

index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by NAME RULE | sort -count

and take the first 3.

Remeber that if you want a stats by one field (e.g. stats count by NAME) it's easier to use top command.

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-26-2017 02:50 AM

Hi Giuseppe,

I want to know based on my output

index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3

Name Count
SRV1 800
SRV2 600
SRV6 700

it's any string of script will automatically take "Name" from the output in this 3 name or potentially more name to get the top "Rule"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2017 04:23 AM

Hi francly,
you can add values(RULE) AS RULE to have a list of all rules for each host, is it what you like?
something like this

index=data sourcetype="data1" host=HOSTA 
| stats values(RULE) AS RULE count by NAME 
| sort -count 
| head 3

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-26-2017 08:34 PM

Hi Giuseppe, it's possible to break down the count for all the rule? right now I'm only getting 1 rule per Name

Name Total Count
SRV1 800
Rule1 500
Rule2 200
Rule3 100

SRV2 600
SRV6 700

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-27-2017 04:02 AM

Hi francly,
try this

index=data sourcetype="data1" host=HOSTA 
| stats count by NAME, RULE
| search [ search 
   index=data sourcetype="data1" host=HOSTA 
   | stats count by NAME 
   | head 3 
   | fields NAME 
   ]
| eventstats sum(count) as rank by NAME
| appendpipe  [ stats values(rank) AS rank sum(count) AS Total by NAME ] 
| sort 0 -rank NAME -Total -count
| fields - rank
| eval NAME=if(Total>0,NAME,"")

Bye.
Giuseppe

0 Karma
Reply

francly
Explorer
‎09-27-2017 08:32 PM

Hi Giuseppe,

I getting this not relevant output

alt text

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2017 12:44 AM

Sorry I cannot see your output.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...