Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count the movement (add remove) of hosts

smudge797
Path Finder
‎06-12-2016 02:34 PM

If I add 1 host and remove another host in a month, the stats will be the same and the delta zero but we had movement. Thats what im trying to track. This is what i have so far:

| timechart span=1m dc(Host_Name) as Count_Of_Hosts
| streamstats window=2 last(Count_Of_Hosts) AS Last, first(Count_Of_Hosts) AS First
| eval Delta=Last-First

0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2016 05:05 PM

You should not post the same question twice. You should take time to clearly formulate it before you post it and update the original question as needed. See my answer here:

https://answers.splunk.com/answers/412098/how-to-search-the-count-of-addsremoves-new-hosts-v.html#an...

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-12-2016 03:13 PM

In order to build a fairly reliable search you'll have to tell us what your events look like, how often they occur, under what condition a host is considered to be added or removed, and so on.

Some early thought on your attempt, going by the distinct count is troublesome. If you add host A and remove host B, your distinct count doesn't change. Depending on your number of hosts and the sample rate of their events this statistically won't be avoidable. You will need to track adds and removes per host, and then count those add/remove events.

0 Karma
Reply

smudge797
Path Finder
‎06-12-2016 03:27 PM

Hi Martin,
What you have described with distinct count is the challenge for me. The events come in a csv input once month which is then summarized. This is a sample event,

2016/05/01,9810440,Infrastructure,Distributed Storage,Backup,Backup,Backup,0.05,DCI Backup,USER SERVICES (blah),WORKSPACE SERVICES (blah),WORKSPACE SERVICES (blah),1580962,S1005WIF790,182976,ORG TRANSFER - TELEPHONY 802,$0 ,0

Cost = $0
Cost Center = 123456
Cost_Center = Distributed Storage
Date = 2016/05/01
Feed_Name = blah Backup
Host_Name = myhost
Org L4 = USER SERVICES (blah)
Org L5 = WORKSPACE SERVICES (blah1)
Org L6 = WORKSPACE SERVICES (bah2)
Org_Description = ORG TRANSFER - TELEPHONY 123
Org_L5 = Backup (Blah5)
Org_L6 = 0.05
PPGL1 = Infrastructure
PPGL2 = Distributed Storage
PPGL3 = Backup
PPGL4 = Backup
Product = Backup
Standard Price = 0.05
Volume = 0
date_mday = 1
date_month = may
date_wday = sunday
date_year = 2016
date_zone = -240
field1 = 2016/05/01
field2 = 9810440
host = myindexer
index = blahblah
linecount = 1
punct = //,,_,_,,,_(),.,_,___(),__(),___(),,,,__-__,$_,
source = May billing detail.csv
sourcetype = blah
splunk_server = myindexer indexer
tag = index
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...