Appreciate the answer to my original question, but it leads me to a couple of additional issues:
0) As I write this, it was suggested that I tag it or link it back to the original question, and I don't see how to do either of those things... Help??!
1) The following query seems to work:
index="netcool" | stats count by tgtHostname, supportGroup | where count > 50 | stats count(tgtHostname) by supportGroup
This produces a list of support groups and a column which counts the number of hosts that have 50+ events associated with them. I can create a pie chart report out of this. So far so good...
The original suggested query was this:
[Search string] | stats count as EventCount by host, SupportGroup | where count > 100 | stats count(host) by SupportGroup
and my first question is - what does the 'as EventCount' mean, and is that supposed to be literal text or does EventCount correspond to one of my event columns? When I include that text, the query simply does nothing...
2) The query above generates 2 columns of data - I would like to display a third column, which would contain the sum total of all the events associated with the hosts in the given host group.
So instead of
SG_001 6
SG_002 4
SG_003 10
where the first row shows that support group SG_001 has 6 hosts with 50+ events, I'd like to generate
SG_001 6 200
SG_002 4 1000
SG_003 10 900
where the first row shows that SG_001 has 6 hosts with 50+ events, and those 6 hosts have a total of 200 events associated with them...
I'm working out the query language, but I would appreciate any help you can give me on this as I get started...
Thanks in advance,
nbc
When you do a | stats count as EventCount it will rename count to EventCount.
Believe that search should have looked like this to work:
[Search string] | stats count as EventCount by host, SupportGroup | where EventCount > 100 | stats count(host) by SupportGroup
If the rename to EventCount was not there it would have worked the first time. Could have been a typo.
Travis.
When you do a | stats count as EventCount it will rename count to EventCount.
Believe that search should have looked like this to work:
[Search string] | stats count as EventCount by host, SupportGroup | where EventCount > 100 | stats count(host) by SupportGroup
If the rename to EventCount was not there it would have worked the first time. Could have been a typo.
Travis.
here is your original issue:
http://answers.splunk.com/questions/8862/new-user-trying-to-work-out-a-report