Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: If I have two different searches without commo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-31-2016
10:35 AM
I got a strange situation here. I have two different searches as follows.
search 1:
index=* [ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| stats values(source) as sources by host
Which displays all the Windows hosts and sources of them for all the indexes.
And I have another search as follows which displays the results including Windows and also other operating systems which satisfies the same search condition.
search 2:
index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(sources) as sources by host
Now I'm looking to write a search which displays the search 2 results from only the Windows hosts..I'm not sure if we have to include the search 1 for getting required result?
Any suggestions would be great and points will be awarded for the best answer
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
10:38 AM
Try this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
10:38 AM
Try this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-31-2016
10:49 AM
what if I want to display all the sourcetypes too for each host besides the sources?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-31-2016
11:11 AM
You can add that too. Like this
index=*
[ search index=_internal os=Windows sourcetype=splunkd
| stats count by hostname
| rename hostname as host
| fields host ]
| regex _raw!=".2016-\d{2}-\d{2}."
| stats values(source) as sources values(sourcetype) as sourcetypes by host
Get Updates on the Splunk Community!
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
