Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to separate the count of two fields into ranges?

skelly99
Explorer
‎08-29-2018 09:52 AM

Hi - I have a dataset which contains two scan dates fields per server. There are 50000 events in the dataset, one event per server.

hostname, days_since_hw_scan, days_since_sw_scan
server1,2,3
server2,20,10
server3,5,19
....
...

I want to summarise the data set so that I have a count of both scan date fields within a range of days, eg

Range of Days. hw_host_scan_count, sw_host_scan_count
0-5, x , y
6-10, x , y
11-15, x, y
...
...

I can get this OK for one of the field using the chart command below but I am looking for a table which includes both fields.

chart count by hw_host_scan_count span=5

Any suggestions appreciated.

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎08-30-2018 02:20 AM

hi @skelly99

can you try like this 

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎08-30-2018 02:20 AM

hi @skelly99

can you try like this 

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

skelly99
Explorer
‎08-31-2018 12:22 AM

Hi - thanks that helped - I had thought I'd done this previously without the need for the join but can't find the search so perhaps I am imagining this.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...