contingency table cell values

jrstear · ‎03-07-2011

"daysago=5 | ctable host date_wday" produces a table with hosts on rows, dates on columns, and total message count in the cells, but takes a while as it must go through all the logs and count them. I have summary index records with fields orig_host and daily_count, but how do I get it into the same format as above?

More generally: it'd be handy if ctable took an optional argument to indicate what values were put in the cells, eg "daysago=5 index=summary search_name=daily_count_by_host | ctable orig_host wday value=daily_count". It'd also be nice to be able to control the sort order of rows and columns, eg via a preceding sort. Maybe there is already a way to do this?

Thanks for any help!

-jon

Stephen_Sorkin · ‎03-07-2011

First note that ctable is roughly equivalent to chart. The following two give the same results, except for the limit in series that will be shown:

... | ctable x y
... | chart count by x y

In your case, you don't want the count of summary events but rather the sum of the daily_count field. So your search will be:

daysago=5 index=summary search_name=daily_count_by_host
| chart sum(daily_count) by orig_host wday

jrstear · ‎03-07-2011

nevermind, timechart is good. thanks again.

jrstear · ‎03-07-2011

eggcellent - thanks! hmm, the cli behavior is unexpected - eg pipe to less shows incomplete results. i'm aiming for a cli that shows top N chatty hosts - any pointers on that? (i don't know if i should submit a separate question)

contingency table cell values

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?