Hello All,
I have a simple search that returns a list of host and time stamps:
host _time
x 2018-03-23 11:54
y 2018-03-23 11:55
z 2018-03-23 11:56
It's possible to have 2 times the same host in the list, in that case I would like to have "(2)" displayed next to the name of the second host, like this:
host _time
x 2018-03-23 11:54
y 2018-03-23 11:55
x(2) 2018-03-23 11:55
z 2018-03-23 11:56
How can I do that?
Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?
Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time
Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time
In situations where you only want to show a numeric if the host count is greater than one: Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, hostAndCount, hostCount, _time
@lucien62 try the following
<yourBaseSearch>
| streamstats count as sno by host
| eval host=host."(".sno.")"
| table _time host
Following is a run anywhere search based on Splunk's _internal index which which samples some splunkd errors and display count of host with errors over time:
index="_internal" sourcetype="splunkd" log_level!="INFO" component!="Metrics" AND component!="ExecProcessor"
| head 50
| streamstats count as sno by component
| eval component=component."(".sno.")"
| table _time component
PS: I have used streamstats to apply statistical aggregate on streaming data over time based on your sample data. If you have stats, similar approach should still work. Please try out and confirm.
Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?
Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time
I would prefer having the "2" next to the host name in the same column.
This will be used to identify when the same log is detected on the same server but at a different time.
This is the current search I'm using:
index=wineventlog host=* EventCode=55555 Message="blablabla..." | table host _time | sort -_time asc
So you don’t want to split by time then.
Your search | fields host, _time | eventstats count(host) as hostCount | eval host = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, _time
Btw. What the above search does is is counts all hosts by host name over your search time and then concatinates that sum of hosts next to your host if the resultant host count is greater than 2. Since I assume you are scanning events by _time which is what is populating the time field, you will see duplicate results if you come across more than one host with the same host name. Eg:
1:20 host1 (2)
1:22 host2
1:24 host1 (2)
Or you can do :
Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time
In situations where you only want to show a numeric if the host count is greater than one: Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, hostAndCount, hostCount, _time
In which cases do you want to have duplicated values of host?
I don't know which search are doing there but if you are doing a stats latest(host) by _time, a stats values(host) by _time gives as many values as existing in the field ( instead of having one per host).
But I think more clarifications would be frutiful here.