Re: Count # of sensors by host and dashboard

ksheikh786

Calculating metrics. I need to count the number of sensors that are created and monitored for each host. I have the index and sourcetype.

I created about 7 different dashboards with multiple host on each dashboard and I need to get a count on the number of sensors that are being monitored by each host.

index=idx_sensors sourcetype = sensorlog | stats count by host

the above query is giving me all the hostnames that are being monitored but the count is giving me all the events... I just need the # of sensors per host.

ksheikh786

Lets say I have a dashboard setup with 5 hosts (serverA, serverB, serverC, serverD, serverE), for each host there are 5-10 queries setup to pull data using the same index=idx_sensors.

I can manually count and see that there are x # of sensors setup per hostname.

How would I create a query to check how many sensors are being monitored by hostname?

(I've got 7 diff dashboards w/ multiple hosts monitoring X number of sensors. I need to get metrics for which host has how many sensors that are currently being monitored.)

ksheikh786

I need to track the number of alerts configured under index=idx_sensors by hostname

yuanliu

You haven't answered key questions from me and @bowesmana. Without SPL, what do you use to count number of sensors per host (if the total number of events is not the answer).

Let me repeat the four commandments of asking answerable questions in this forum:

Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at).
Illustrate the desired output from illustrated data.
Explain the logic between illustrated data and desired output without SPL.
If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.

yuanliu

I can manually count and see that there are x # of sensors setup per hostname.

You need to show volunteers here HOW do you count number of sensors from logs (without using SPL).

Here are four commandments to help you ask answerable questions in this forum:

Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at).
Illustrate the desired output from illustrated data.
Explain the logic between illustrated data and desired output without SPL.
If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.

bowesmana

Did you try the query I posted?

ksheikh786

Yes, it returned 0s

bowesmana

What field does your data contain that holds the sensor value? Did you change the query as needed to pick up that field.

bowesmana

Use dc

index=idx_sensors sourcetype = sensorlog 
| stats dc(sensor_field) as sensors by host

isoutamo

Can you give sample of your events?
You could add another or more field after by on stats if there is something which you could use.

Count # of sensors by host and dashboard

stats

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability