Getting Data In

How to display "(2)" next to hostname when a second host has been detected in the list?

lucien62
New Member

Hello All,

I have a simple search that returns a list of host and time stamps:

host   _time
x      2018-03-23 11:54
y      2018-03-23 11:55
z      2018-03-23 11:56

It's possible to have 2 times the same host in the list, in that case I would like to have "(2)" displayed next to the name of the second host, like this:

host   _time
x      2018-03-23 11:54
y      2018-03-23 11:55
x(2)   2018-03-23 11:55
z      2018-03-23 11:56

How can I do that?

0 Karma

damiensurat
Contributor

Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?

Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time

Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time

In situations where you only want to show a numeric if the host count is greater than one: Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, hostAndCount, hostCount, _time

0 Karma

niketn
Legend

@lucien62 try the following

<yourBaseSearch>
| streamstats count as sno by host
| eval host=host."(".sno.")"
| table _time host

Following is a run anywhere search based on Splunk's _internal index which which samples some splunkd errors and display count of host with errors over time:

index="_internal" sourcetype="splunkd" log_level!="INFO" component!="Metrics" AND component!="ExecProcessor" 
| head 50
| streamstats count as sno by component
| eval component=component."(".sno.")"
| table _time component

PS: I have used streamstats to apply statistical aggregate on streaming data over time based on your sample data. If you have stats, similar approach should still work. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

damiensurat
Contributor

Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?

Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time

0 Karma

lucien62
New Member

I would prefer having the "2" next to the host name in the same column.

This will be used to identify when the same log is detected on the same server but at a different time.

This is the current search I'm using:

index=wineventlog host=* EventCode=55555 Message="blablabla..." | table host _time | sort -_time asc

0 Karma

damiensurat
Contributor

So you don’t want to split by time then.

Your search | fields host, _time | eventstats count(host) as hostCount | eval host = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, _time

0 Karma

damiensurat
Contributor

Btw. What the above search does is is counts all hosts by host name over your search time and then concatinates that sum of hosts next to your host if the resultant host count is greater than 2. Since I assume you are scanning events by _time which is what is populating the time field, you will see duplicate results if you come across more than one host with the same host name. Eg:
1:20 host1 (2)
1:22 host2
1:24 host1 (2)

0 Karma

damiensurat
Contributor

Or you can do :

Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time

0 Karma

damiensurat
Contributor

In situations where you only want to show a numeric if the host count is greater than one: Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, hostAndCount, hostCount, _time

0 Karma

tiagofbmm
Influencer

In which cases do you want to have duplicated values of host?

I don't know which search are doing there but if you are doing a stats latest(host) by _time, a stats values(host) by _time gives as many values as existing in the field ( instead of having one per host).

But I think more clarifications would be frutiful here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...