Solved: Group hosts by Sourcetype by Index

king2jd · ‎01-05-2017

Hello,

I am trying to perform a search that groups all hosts by sourcetype and groups those sourcetypes by index. So far I have this:

| tstats values(host) AS Host, values(sourcetype) AS Sourcetype WHERE index=* by index

But this search does map each host to the sourcetype. Instead it shows all the hosts that have at least one of the resulting sourcetypes as a sourcetype.

rjthibod · ‎01-05-2017

How about this?

| tstats count where index=* by index sourcetype host 
| stats list(host) as Hosts by index sourcetype

View solution in original post

rjthibod · ‎01-05-2017

How about this?

| tstats count where index=* by index sourcetype host 
| stats list(host) as Hosts by index sourcetype

king2jd · ‎01-05-2017

Does exactly what I needed. Thanks for your help!

gcusello · ‎01-05-2017

have you tried
stats count by host, sourcetype, index OR tstats count by host, sourcetype, index ?

Bye.
Giuseppe

rjthibod · ‎01-05-2017

Can you give an example of what the end data should look like in table format?

king2jd · ‎01-05-2017

Index1----sourcetype1-----host1
------host2
------sourcetype2---host 3
Index2-----sourcetype3----host1
----host5

Does this help you?

king2jd · ‎01-05-2017

That came out worse than I thought but essentially
index1-sourcetype1-host1,host2
index2-sourcertype2-host1,host4

Group hosts by Sourcetype by Index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation