Solved: Append Columns to Top Output

samhodgson · ‎03-26-2018

Hi,

I have the following search and I would like to enumerate a total event count prior to the Top function and then append it to the results:

`nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
(eventname="HOST ALERT" NOT status_code="UP")) 
| eval name=if(eventname=="HOST ALERT","Host",service) 
| top eventname,host_name,name limit="100"

The macro's at the start just specify the index and sourcetype. From what I can tell there is no way to append columns to Top's output? Any help on the best way to achieve the desired output would be greatly appreciated!

Cheers

tiagofbmm · ‎03-26-2018

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"

View solution in original post

tiagofbmm · ‎03-26-2018

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"

Append Columns to Top Output

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!