Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Aggregate/subtotal the output by locations (not currently an index field) so I can produce a graph by location

tlmayes
Contributor
‎09-18-2017 05:52 AM

I have a query below that produces the sum of bandwidth used by remote intermediate forwarders. The output give me a simple linear output with sum by host.

index=_internal metrics thruput site-hub 11001 host=server0*  | stats sum(kb) by host

What I am trying to get without success is to aggregate/subtotal the output by locations (not currently an index field) so that I can produce a graph by location rather than a graph by host.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-18-2017 06:27 AM

So you need something that maps the hosts to the locations.

This could be something like...

| stats sum(kb) as totKb by host
| join type=left host [something that gets your host to location mapping | table host location]
| eval location=coalesce(location,"unknown")
| stats sum(totKb) as totKb by location

You could also use lookup or any number of other methods.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-18-2017 06:27 AM

So you need something that maps the hosts to the locations.

This could be something like...

| stats sum(kb) as totKb by host
| join type=left host [something that gets your host to location mapping | table host location]
| eval location=coalesce(location,"unknown")
| stats sum(totKb) as totKb by location

You could also use lookup or any number of other methods.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-18-2017 08:10 AM

Thanks... the lookup was the key (and the tree hiding in the forest).

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-18-2017 09:21 AM

@tlmayes - yep, I've wandered that forest many times in the last 8 months. Now it's just kind of "wave and a path appears..."

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-18-2017 05:56 AM

hi,
Is the location mentioned in the events or you want to graph by iplocation?
It will be nice to see a sample of your events

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-18-2017 06:08 AM

No, there is no mention of location in the index, and assumed this field would be created via an eval statement.

As for the events, they are standard for every Splunk deployment, output from the "metrics.log" adding the kb field.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...