- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with my stats count?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I use the request below, which works:
index="windows" sourcetype="wineventlog:Application" "SourceName=*" Type="Critique" OR Type="Avertissement"
| dedup _time SourceName
| table _time SourceName |
stats count by SourceName
| rename SourceName as Application count as Erreurs
| sort - Erreurs limit=10
I try to do the count also by host
so i do this :
index="windows" sourcetype="wineventlog:Application" "SourceName=*" Type="Critique" OR Type="Avertissement"
| dedup _time SourceName
| table _time SourceName |
stats count by SourceName host
| rename SourceName as Application count as Erreurs
| sort - Erreurs limit=10
but it doesn't work.
could you help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason second search doesn't work because your table command (line 3) restricts the fields in result to _time and SourceName only. There is not host field after that table command, thus next stats doesn't work.
You can try something like this
index="windows" sourcetype="wineventlog:Application" "SourceName=*" Type="Critique" OR Type="Avertissement"
| stats dc(_time) as Erreurs by SourceName host
| rename SourceName as Application
| sort - Erreurs limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many thanks for all your perfect answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
You can also use the top function like that :
index="windows" sourcetype="wineventlog:Application" "SourceName=*" Type="Critique" OR Type="Avertissement"
| top 10 SourceName,host
That should return you the same result than the =search you were writing.
KailA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason second search doesn't work because your table command (line 3) restricts the fields in result to _time and SourceName only. There is not host field after that table command, thus next stats doesn't work.
You can try something like this
index="windows" sourcetype="wineventlog:Application" "SourceName=*" Type="Critique" OR Type="Avertissement"
| stats dc(_time) as Erreurs by SourceName host
| rename SourceName as Application
| sort - Erreurs limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jip31,
First of all, you do not need to do dedup if you will do a stats count, you will have the same result and stats count is faster.
Table is only aesthetic, so you do not need to do it at first, or maybe use fields, to have a faster query, but I think it will not be necessary.
And, ah! You had a typo with the field Source name!
Try this query:
index="windows" sourcetype="wineventlog:Application" SourceName=* Type="Critique" OR Type="Avertissement"
| stats count by SourceName host
| rename SourceName as Application count as Erreurs
| sort - Erreurs limit=10
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
