Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generating reports where multiple number of hosts are present

shreeCS
New Member
‎09-12-2013 11:02 PM

Hi,

I have individual persons data available in the form of csv files. Here i want to generate reports on those data.So i uploaded those csv files on to splunk for indexing and creating reports.
I uploaded each person's csv files this way - Add data->From-Files&Directories -> Upload&IndexFile -> More Settings -> SourceType-> from list > csv .
So csv files are uploaded successfully.Here i made each person's data available in different host i.e.,Prson A's host as A ,person B's host as B ,person C's host as C and so on.

Here is the sample entries for person A:

 Day  Date       InTime  OutTime
 Sun  1.08.2013   8:33    17:39
 Mon  2.03.2013   8:38    17:40
 Tue  2.03.2013   8:33    19:28
 Wed  2.03.2013   8:32    17:37
        .
        .
        .

Each person is having the same fields with different values.Here I took only person A's data and calculated the difference between InTime & OutTime.The query is below:

host="A" | convert mstime(OutTime) AS otime | convert mstime(InTime) AS itime |eval durationHrs=(otime - itime )/60 | timechart values(durationHrs) As myDurationHrs

This is working fine.If i want come up with report which includes each person's data and i wanted to calculate each person's Average durationHrs (i.e.,durationHrs=(otime - itime )/60 and avg(durationHrs)),how to do that,because here i have each host representing each persons.If my persons count is more than 10 or something,how to combine them in a single query (like - host="A"host="B" host="C" ... host="Z")?
At the end i want in a chart should show the average_durationHrs for each person.

How to do this?

Tags (1)
0 Karma
Reply

gfuente
Motivator
‎09-12-2013 11:54 PM

Hello

Instead of host="A" at the beggining of the query you should use the sourcetype (that should be the same for all of them, if you indexed them right), lets say sourcetype="hostdata". Then you will be queriying all the data at the same time

And, at the end of the query you need to add the "by" clause to split the data by the criteria you want. 

...| timechart values(durationHrs) As myDurationHrs by host

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...