- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
10-17-2012
03:04 PM
I am looking for a good way to show the number of host that are sending log files to splunk over time
I can use timechart but how do I count uniq host names and from what index. I tried _internal for the metrics and summary but when i use uniq or dedup it kills my timchart function.
How to get the number for each day over a 30 day????
I tried this:
index=_internal hostname="*" component="Metrics" | timechart span=d count(uniq hostname)
But that's not right. anyone know the right way??
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BobM
Builder
10-17-2012
03:25 PM
This will give what you want.
index=_internal per_host_thruput | timechart span=1d dc(series) as hosts
dc is short for distinct count and series contains the host name in the per_host group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BobM
Builder
10-17-2012
03:25 PM
This will give what you want.
index=_internal per_host_thruput | timechart span=1d dc(series) as hosts
dc is short for distinct count and series contains the host name in the per_host group
