Getting Data In

How to get the count of forwarders that are reporting from each application/Workspace?

yu94
New Member

Hi Splunkers,

I want to get the count of forwarders that are reporting from each application/Workspace.

Example: I have created 4 apps/workspace for 4 different teams.
So now I want to get the count of forwarders that are reporting from each application/Workspace

Is there any search which can give me the above information in a single search ?

Thanks in advance,
Thippesh

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi yu94,
you could create a lookup with your application/Workspace (es. AppWork.csv) in which there are indexes or sourcetypes or another field that is unique used in your applications, something like this:

App Index Sourcetype
App1 index1 sourcetype1
App1 Index1 sourcetype2
App2 index2 sourcetype3
...

and then (using sourcetype) run a search like this

| inputlooup AppWork.csv 
| eval count=0 
| append [ index=* | stats count by sourcetype]
| stats sum(count) AS Total by sourcetype
| lookup AppWork.csv sourcetype OUTPUT App
| stats values(sourcetype) AS sourcetype sum(Total) AS Total by App

You could limit your results inserting in the sub-search the correct indexes (I don't know them) and (if you have other sourcetypes than the lookup) eventually filter sub-search by your lookup:

| inputlooup AppWork.csv 
| eval count=0 
| append 
     [ index=*  [  | inputlooup AppWork.csv | dedup sourcetype | fields sourcetype]
     | stats count by sourcetype
     ]
| stats sum(count) AS Total by sourcetype
| lookup AppWork.csv sourcetype OUTPUT App
| stats values(sourcetype) AS sourcetype sum(Total) AS Total by App

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...