Archive

Can we run the query for 100 or so hosts?

danielbb
Motivator

We have the following that runs nicely for one host -

index=<index name> host=<host name> source=<source name> sourcetype=<sourcetype name> earliest=-7d MaximumProcessAddressSpace 
| stats first(MaximumProcessAddressSpace) as AvailableMEM 
| return AvailableMEM

We would like to do it for 100 or so hosts. Any ideas?

Tags (1)
0 Karma

aberkow
Builder

Unclear if you're looking for something more complex, but running the stats command BY host should split this out by host. You can also inputlookup a csv that acts as an IN clause for specific hosts. Examples:

index=<index name>  source=<source name> sourcetype=<sourcetype name> earliest=-7d MaximumProcessAddressSpace 
 | stats first(MaximumProcessAddressSpace) as AvailableMEM BY host

OR

  index=<index name>  source=<source name> sourcetype=<sourcetype name> earliest=-7d MaximumProcessAddressSpace 
[ |inputlookup hostsICareAbout.csv
    |table host]
    | stats first(MaximumProcessAddressSpace) as AvailableMEM BY host

Do these make sense as options/answer your question?

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!