Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to get total without the join command?

JoshuaJohn
Contributor
‎09-24-2018 08:32 AM

I am trying to see the number of devices in a fleet by location without a specific setting applied. The data I have coming in shows the location, all devices in that location and the settings applied to each device.

alt text

OG: the location, MacAddress: devices missing the specific setting, Model: Type of device, Profile status: Missing "Specific setting", Not installed count: Count of devices in that location missing the setting, TotalCount: Total number of devices regardless of compliance with setting at that location, Compliance: Just a percentage of devices at that location that have the correct setting.

I am joining the same search to get the total number of devices at the location. The reason I am doing it this way is because I am filtering with a where in my search that will impact all values when I don't want it to impact my TotalCount. Anyway can I do this differently?

index=nitro_apps source="DATA" 
| rex "^[^,\n]*,(?P<OG>[^,]+)[^,\n]*,(?P<MacAddress>[^,]+)(?:[^ \n]* ){4}(?P<Model>[^,]+),(?P<OS>[^,]+),\w+,(?P<Profile>[^,]+),\d+,(?P<Latest_Version>\d+),(?P<Installed_Date>[^,]+)[^,\n]*,(?P<Installed>\w+)" 
| search "OG"=* Model="180" 
| eval IsProfileInstalled=if(in(Profile, "OID"),"true","false") 
| dedup MacAddress 
| where 'IsProfileInstalled'=="false" 
| eval Profile_Status="Missing "+ "OID" 
| stats list(MacAddress) as MacAddress, list(Model) as Model, list(Profile_Status) as Profile_Status, count as Not_Installed_Count by OG 
| join 
    [ search index=nitro_apps source="DATA" 
    | rex "^[^,\n]*,(?P<OG>[^,]+)[^,\n]*,(?P<MacAddress>[^,]+)(?:[^ \n]* ){4}(?P<Model>[^,]+),(?P<OS>[^,]+),\w+,(?P<Profile>[^,]+),\d+,(?P<Latest_Version>\d+),(?P<Installed_Date>[^,]+)[^,\n]*,(?P<Installed>\w+)"
    | search "OG"=*
    | where 'Model'="180" 
    | stats dc(MacAddress) as TotalCount by OG] 
| eval Compliance_% = round(((TotalCount-Not_Installed_Count)/TotalCount)*100, 2)
| table OG MacAddress Model Profile_Status Not_Installed_Count TotalCount Compliance_%

I also feel my dedup is ruining some of my data. Overall the question is can I be doing this better? I believe it can be optimized significantly.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zonistj
Path Finder
‎09-24-2018 11:10 AM

I think eventstats could do what you're trying to do:

index=nitro_apps source="DATA" 
 | rex "^[^,\n]*,(?P<OG>[^,]+)[^,\n]*,(?P<MacAddress>[^,]+)(?:[^ \n]* ){4}(?P<Model>[^,]+),(?P<OS>[^,]+),\w+,(?P<Profile>[^,]+),\d+,(?P<Latest_Version>\d+),(?P<Installed_Date>[^,]+)[^,\n]*,(?P<Installed>\w+)" 
 | search "OG"=* Model="180" 
 | eval IsProfileInstalled=if(in(Profile, "OID"),"true","false") 
 | eventstats dc(MacAddress) AS TotalCount by OG
 | dedup MacAddress 
 | where 'IsProfileInstalled'=="false" 
 | eval Profile_Status="Missing "+ "OID" 
 | stats list(MacAddress) as MacAddress, list(Model) as Model, list(Profile_Status) as Profile_Status, count as Not_Installed_Count, values(TotalCount) AS TotalCount by OG 
 | eval Compliance_% = round(((TotalCount-Not_Installed_Count)/TotalCount)*100, 2)
 | table OG MacAddress Model Profile_Status Not_Installed_Count TotalCount Compliance_%

Eventstats let's you calculate statistics but it appends your newly created fields to the existing data rather than transforming it the way the normal stats command does.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

zonistj
Path Finder
‎09-24-2018 11:10 AM

I think eventstats could do what you're trying to do:

index=nitro_apps source="DATA" 
 | rex "^[^,\n]*,(?P<OG>[^,]+)[^,\n]*,(?P<MacAddress>[^,]+)(?:[^ \n]* ){4}(?P<Model>[^,]+),(?P<OS>[^,]+),\w+,(?P<Profile>[^,]+),\d+,(?P<Latest_Version>\d+),(?P<Installed_Date>[^,]+)[^,\n]*,(?P<Installed>\w+)" 
 | search "OG"=* Model="180" 
 | eval IsProfileInstalled=if(in(Profile, "OID"),"true","false") 
 | eventstats dc(MacAddress) AS TotalCount by OG
 | dedup MacAddress 
 | where 'IsProfileInstalled'=="false" 
 | eval Profile_Status="Missing "+ "OID" 
 | stats list(MacAddress) as MacAddress, list(Model) as Model, list(Profile_Status) as Profile_Status, count as Not_Installed_Count, values(TotalCount) AS TotalCount by OG 
 | eval Compliance_% = round(((TotalCount-Not_Installed_Count)/TotalCount)*100, 2)
 | table OG MacAddress Model Profile_Status Not_Installed_Count TotalCount Compliance_%

Eventstats let's you calculate statistics but it appends your newly created fields to the existing data rather than transforming it the way the normal stats command does.

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎09-24-2018 11:49 AM

I don't know why I completely forgot about the existence of eventstats, thank you so much.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...