Splunk Search

Count the movement (add remove) of hosts

Path Finder

If I add 1 host and remove another host in a month, the stats will be the same and the delta zero but we had movement. Thats what im trying to track. This is what i have so far:

| timechart span=1m dc(HostName) as CountOfHosts
| streamstats window=2 last(Count
OfHosts) AS Last, first(CountOf_Hosts) AS First
| eval Delta=Last-First

0 Karma

Esteemed Legend

You should not post the same question twice. You should take time to clearly formulate it before you post it and update the original question as needed. See my answer here:



In order to build a fairly reliable search you'll have to tell us what your events look like, how often they occur, under what condition a host is considered to be added or removed, and so on.

Some early thought on your attempt, going by the distinct count is troublesome. If you add host A and remove host B, your distinct count doesn't change. Depending on your number of hosts and the sample rate of their events this statistically won't be avoidable. You will need to track adds and removes per host, and then count those add/remove events.

0 Karma

Path Finder

Hi Martin,
What you have described with distinct count is the challenge for me. The events come in a csv input once month which is then summarized. This is a sample event,

2016/05/01,9810440,Infrastructure,Distributed Storage,Backup,Backup,Backup,0.05,DCI Backup,USER SERVICES (blah),WORKSPACE SERVICES (blah),WORKSPACE SERVICES (blah),1580962,S1005WIF790,182976,ORG TRANSFER - TELEPHONY 802,$0 ,0

Cost = $0
Cost Center = 123456
Cost_Center = Distributed Storage
Date = 2016/05/01
Feed_Name = blah Backup
Host_Name = myhost
Org L4 = USER SERVICES (blah)
Org_Description = ORG TRANSFER - TELEPHONY 123
Org_L5 = Backup (Blah5)
Org_L6 = 0.05
PPGL1 = Infrastructure
PPGL2 = Distributed Storage
PPGL3 = Backup
PPGL4 = Backup
Product = Backup
Standard Price = 0.05
Volume = 0
date_mday = 1
date_month = may
date_wday = sunday
date_year = 2016
date_zone = -240
field1 = 2016/05/01
field2 = 9810440
host = myindexer
index = blahblah
linecount = 1
punct = //,,_,_,,,_(),.,_,___(),__(),___(),,,,__-__,$_,
source = May billing detail.csv
sourcetype = blah
splunk_server = myindexer indexer
tag = index
0 Karma