https://community.splunk.com/t5/Splunk-Dev/Re-use-host-field-in-Timechart-for-count-aggregation/m-p/405037#M6977 <P>See the answer by @niketnilay on this one, which includes the full code for a similar solution. </P> <P><A href="https://answers.splunk.com/answers/623803/trellis-display-of-two-values.html">https://answers.splunk.com/answers/623803/trellis-display-of-two-values.html</A></P> <P>However, I believe you may need to swap the order of your fields. That is, the "by" field may need to be <CODE>by host</CODE> if you want the trellis to break the results by host. Try it the way you have it and see if it works. If not, then swap it and see if that works. </P> Sat, 11 Aug 2018 06:02:22 GMT DalJeanis 2018-08-11T06:02:22Z https://community.splunk.com/t5/Splunk-Dev/Re-use-host-field-in-Timechart-for-count-aggregation/m-p/405036#M6976 <P>I am attempting to create a dynamic timecharted trellis dashboard panel that only shows an aggregation <CODE>by host</CODE> based on which <CODE>host</CODE> fields are present in the main search.</P> <P>As an example, the below shows two trellis panels, split <CODE>by sourcetype</CODE> using a statically assigned <CODE>host</CODE> names.</P> <PRE><CODE>index=* sourcetype=* host=host1 OR host=host2 | timechart span=1s count(eval(host == "host1")) as "host1" count(eval(host == "host2")) as "host2" count by sourcetype </CODE></PRE> <P>What I would like is the number of Trellis panels (aggregated <CODE>by host</CODE>) to shrink or grow based on the number of hosts listed in the primary search.</P> <P>Programmatically this would be something like a for loop over the host aggregation to create multiple panels, depending on the number of <CODE>host</CODE> values present.</P> <P>i.e. </P> <PRE><CODE>index=* sourcetype=* host=host1 OR host=host2 | timechart span=1s count(eval(host == )) as "" count by sourcetype </CODE></PRE> <P>With the expanded search evaluating to something like the below, assuming 3 hosts.</P> <PRE><CODE>index=* sourcetype=* host=host1 OR host=host2 OR host=3 | timechart span=1s count(eval(host == "host1")) as "host1" count(eval(host == "host2")) as "host2" count(eval(host == "host3")) as "host3" count by sourcetype </CODE></PRE> <P>Any help would be appreciated!<BR /> Thanks.</P> Thu, 09 Aug 2018 22:08:00 GMT https://community.splunk.com/t5/Splunk-Dev/Re-use-host-field-in-Timechart-for-count-aggregation/m-p/405036#M6976 joshuagray 2018-08-09T22:08:00Z https://community.splunk.com/t5/Splunk-Dev/Re-use-host-field-in-Timechart-for-count-aggregation/m-p/405037#M6977 <P>See the answer by @niketnilay on this one, which includes the full code for a similar solution. </P> <P><A href="https://answers.splunk.com/answers/623803/trellis-display-of-two-values.html">https://answers.splunk.com/answers/623803/trellis-display-of-two-values.html</A></P> <P>However, I believe you may need to swap the order of your fields. That is, the "by" field may need to be <CODE>by host</CODE> if you want the trellis to break the results by host. Try it the way you have it and see if it works. If not, then swap it and see if that works. </P> Sat, 11 Aug 2018 06:02:22 GMT https://community.splunk.com/t5/Splunk-Dev/Re-use-host-field-in-Timechart-for-count-aggregation/m-p/405037#M6977 DalJeanis 2018-08-11T06:02:22Z