Advanced Search Examples - Implementing Splunk: Big Data Reporting and Development for Operational Intelligence - page 133

Databases Reference

In-Depth Information

Now using eval , we can label everything beyond row 5 as OTHER , and flatten

rownum beyond 5 :

sourcetype="impl_splunk_gen" error

| stats count by logger user

| eventstats sum(count) as totalcount

| eval percent=count/totalcount*100

| sort -count

| eval rownum=1

| accum rownum

| eval logger=if(rownum>5,"OTHER",logger)

| eval user=if(rownum>5,"OTHER",user)

| eval rownum=if(rownum>5,6,rownum)

This gives us (only the first 10 rows are shown):

Next, we will recombine the values using stats . Events are sorted by the fields listed

after by , which will maintain our original order:

sourcetype="impl_splunk_gen" error

| stats count by logger user

| eventstats sum(count) as totalcount

| eval percent=count/totalcount*100

| sort -count

| eval rownum=1

| accum rownum

| eval logger=if(rownum>5,"OTHER",logger)

| eval user=if(rownum>5,"OTHER",user)

| eval rownum=if(rownum>5,6,rownum)

| stats

sum(count) as count

sum(percent) as percent

by rownum logger user

Next Page

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Search WWH ::

Custom Search

Home