- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I compare the count of the same field f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Now I have a problem:
I have a index data which has multiple sources and they have the same sourcetype.
index=t_web sourcetype=t_web_pect
source such as :
t_we_a1.txt ,t_we_a2.txt , t_we_a3.txt
They have the same fields, because of source type fields such as: scan_system_name scan_level.
Different sources may have the same scan_system_name
now I want to get a table ,such as :
sys_Name number of recent scan_level number of recent scan_level Compared with the last scan
name1 66 60 More than the last one
name2 57 68 Fewer than the last one
name3 34 34 The number has't changed
name1 may in multiple sources. I just need to get the same system name.
What should I do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have solved this problem:
index=t_web
| stats count(scan_level) as levelcount by scan_system_name _time
| streamstats latest(levelcount) as a by scan_system_name current=f
| fillnull value=0 a
| eval aa = levelcount-a
| stats latest(_time) as _time latest(a) as lastCount latest(levelcount) as finalScan count as scanCount latest(aa) as ComparedWithLast by scan_system_name
| eval ComparedWithLast = CASE ( 'scanCount'==1, "Only Scan One", ('scanCount'>1 and 'ComparedWithLast'>0), "More than the last one", 'ComparedWithLast'<0, "Fewer than the last one", ('scanCount'>1 and 'ComparedWithLast'==0), "The number has't changed")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have solved this problem:
index=t_web
| stats count(scan_level) as levelcount by scan_system_name _time
| streamstats latest(levelcount) as a by scan_system_name current=f
| fillnull value=0 a
| eval aa = levelcount-a
| stats latest(_time) as _time latest(a) as lastCount latest(levelcount) as finalScan count as scanCount latest(aa) as ComparedWithLast by scan_system_name
| eval ComparedWithLast = CASE ( 'scanCount'==1, "Only Scan One", ('scanCount'>1 and 'ComparedWithLast'>0), "More than the last one", 'ComparedWithLast'<0, "Fewer than the last one", ('scanCount'>1 and 'ComparedWithLast'==0), "The number has't changed")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand your situation. If you will give a small set of sample data and the desired output (perhaps with commentary on how the normal way of doing it would give the wrong output and show the wrong output), then I will try to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @WXY
Are you still having trouble with this issue? If so, please answer the commenter above so that they can help you further. There is also an answer below — did you try out their solution? Or, if you solved your query on your own, please describe the steps you took so that others can learn from your solution.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use some conditional logic like this
| eval count_source_one=if(SOURCE1=source1, 'count',"")
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
