Versions Compared

Old Version 2

changes.mady.by.user Mike Maringas

Saved on

compared with

New Version 3

changes.mady.by.user Anonymous

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
| eventcount summarize=false index=* index=_* 
| dedup index
| rename count as countofevents
| fields index countofevents
| sort countofevents DESC

Image RemovedImage Added

Note: in order to conserve space on this page for the remaining queries,

...

Code Block
| inputlookup spl-customer-host.csv 
| WHERE  NOT (displaycustomer in ("omdemo","omdev", "omqa", "omtrain")) 
| dedup displaycustomer  
| lookup spl-customer-host.csv displaycustomer OUTPUT crmcustomer cloudenv hostlookup
The high water mark of unique agent logins across production:
Code Block
| tstats distinct_count(crm.username) as dc1 WHERE (index="main"  earliest="7/1/2020:00:00:00" latest="8/1/2020:00:00:00" 
[|inputlookup spl-customer-host.csv   | where cloudenv="prod" | fields displaycustomer hostlookup 
| lookup spl-customer-host.csv displaycustomer cloudenv OUTPUT hostlookup 
| fields - displaycustomer | rename hostlookup as host | format]) BY _time host 
| timechart sum(dc1) as all_agents_prod_by_day span=1d 
| stats max(all_agents_prod_by_day) as all_agents_prod
2.4 How to convert Splunk events to look like basic log statements I am used to for troubleshooting?

...