![]() ![]() while giving "Bonnie's Boutique a count of 2, since it happens over 2 days. I'm having a hard time grouping "Ma & Pa's Bait Shop" count into 1, since it happens in the same date. I want to take the original log and sort it by Company Name, Help_Desk_Agent, Customer Number, and the Date. Here's the logs:Ĭompany Help_Desk_Agent Customer# Call_Date stats sum(count) as count avg(count) as avg stdev(count) as stdev sum(eval(if(time > relativetime(now. What I'm trying to do is take the logs and do a count, while sorting it by multiple fields. We have taken all the splunk queries in a tabular format by the table command.Here raw is an existing internal field of the splunk. stats count by severity signature dest time. If you add a uniq/dedup after, it doesnt have any effect.I'm new to splunk and kinda stuck, so any help would be greatly appreciated. So, when I do the lists, I get multiple not unique values in list(topics). The issue that I am having is that at the time I join the topics in, the topics show up multiple times - it will join by instance, so for every queue line it fines it adds the topic lineĮg if queues are queue1, queue2 and topics are topic1, you will get This is because the eval function always. Note the use of sum instead of count in the stats commands. To get counts for different time periods, we usually run separate searches and combine the results. To put multiple values in a cell we usually concatenate the values into a single value. Index="ems" sourcetype="queueconfig" | multikv noheader=true | rename Column_1 as queues | join instance | stats list(queues),list(topics) by instance Splunk tables usually have one value in each cell. Index="ems" sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as topics | stats list(topics) by instanceīut now I want to join them into one search like this. I have the following search that does the same for topics It splits the events into single lines and then I use stats to group them by instance stats count by er, data.email rename er to user References. I guess learning this method is always better, since it also works when trying to count by multiple items. stats count by er rename er to user The latter works as expected. This part just generates some test data-. stats count by er as user is not the same as. So, here's one way you can mask the RealLocation with a display 'location' by checking to see if the RealLocation is the same as the prior record, using the autoregress function. indexfoo stats count, values (fields.type) as Type by fields.name fields fields. One solution is to use the append command and then re-group the results using stats. So, if the token you are passing is a field name and not a value of a field, then it would work. The order and count of results from appendcols must be exactly the same as that from the main search and other appendcols commands or they wont 'line up'. In the original answer, the example was asking for mvcount against a known field name. ![]() You just want to report it in such a way that the Location doesn't appear. It probably depends on what the token represents. ![]() Index="ems" sourcetype="queueconfig" | multikv noheader=true | rename Column_1 as queues | stats list(queues) by instance Your data actually IS grouped the way you want. I am trying to build up a report using multiple stats, but I am having issues with duplication. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |