Splunk Search

Combining results in a search

balcv
Contributor

I have a search that graphs the number of events based on host name. It even colour codes into Windows and Linux hosts. The search goes like this:

(index="main" OR index="win*")
| stats count as total by host,index
| eval host=lower(host) 
| sort host 
| eval Linux = if(index=="main",total, 0) 
| eval Windows = if((index == "windows") or (index == "wineventlog"), total, 0) 
| fields host Linux Windows

This works exactly as expected except in the scenario when a host reports via two different indexes. When this occurs, the host is shown twice. Once for each index.

For example, host server1 has data indexed to Windows and to WinEventLog so two enteries appear for server1 (one for each index).

My question is, how can I get the search to combine the counts into a single entry so that I only see each host once.

I've tried something like "| eval Windows = if(index like "win%", total, 0)" but that does not give the desired result.

Any suggestions greatly appreciated.

0 Karma
1 Solution

aberkow
Builder

After line 6, add a | stats sum(Linux) as Linux, sum(Windows) as Windows by host. This should take all of the numeric values for all indexes post-characterization of Linux or Windows and sum them by host.

The alternative is to put your two eval statements first, and then using the same command I showed above in place of your stats command, but that option might be slightly more expensive. You can try them both and assuming they return the same values, pick whichever one returns faster!

Hope this helps

View solution in original post

aberkow
Builder

The reason eval won't work to combine two rows is that it's a streaming command https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Typesofcommands#Streaming_and_non-streamin... and works on an event level, while stats, which I suggest below, is a transforming command (transforms after all rows are indexed and can do aggregations like you're interested in doing).

0 Karma

aberkow
Builder

After line 6, add a | stats sum(Linux) as Linux, sum(Windows) as Windows by host. This should take all of the numeric values for all indexes post-characterization of Linux or Windows and sum them by host.

The alternative is to put your two eval statements first, and then using the same command I showed above in place of your stats command, but that option might be slightly more expensive. You can try them both and assuming they return the same values, pick whichever one returns faster!

Hope this helps

balcv
Contributor

That did the trick. Thank you @aberkow

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...