My data is from the same source but I would like to count the number of times a host appears on the event based on two fields criteria. How can I do that without hitting search limit?
index=my_index source=my_source
(source_host=remote* OR dest_host=remote*)
| eval name=coalesce(source_host,dest_host)
| stats count by name
Thank you very much!
Try this:
index=my_index source=my_source (source_host=remote* OR dest_host=remote*)
| multireport
[ stats count by source_host]
[ stats count by dest_host ]
| eval name=coalesce(source_host,dest_host)
| fields - *_host
minor amendments 🙂
index=my_index source=my_source (source_host=remote* OR dest_host=remote*)
| multireport
[ stats count by source_host]
[ stats count by dest_host ]
| eval name=coalesce(source_host,dest_host)
| fields - *_host
| stats sum(count) as count by name
I agree. Missed it by >that<
much.
Except you don't need the fields - *_host
in that case.
The above search seems to be good. it should be constrained by limits.conf only
What type of limit you hitting?
I was trying to apply the answer from this good post, but I cannot make it work.
The coalesce results only one side. I want to count each time a host appears on either source_host or destination_host.
https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html