Solved: Calculate TopN hosts but add to that TopN based on...

homerskid · ‎03-26-2019

Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?

Example:

<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source =    tcp:514 sourcetype =    generic_single_line

So this would come up as (300 + count of events for that host)

I'm new to Splunk so not very familiar with the query language. I found this on the google and tried it...

| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date

But I don't know how to add the count from that k/v

somesoni2 · ‎03-26-2019

Give this a try (I would strongly suggest to replace index=* with some specific index/sourcetype/source query)

index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date

View solution in original post

somesoni2 · ‎03-26-2019

Give this a try (I would strongly suggest to replace index=* with some specific index/sourcetype/source query)

index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date

Calculate TopN hosts but add to that TopN based on a key=value pair

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms