Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Counting from metadata and inputcsv

DerekKing
Path Finder
‎03-11-2014 04:44 AM

Hi,

I have a use case whereby I would like to report how many assets I am monitoring in splunk, as a percentage of the total.

To get the number of reporting hosts I use the search;
| metadata type=hosts index=* | stats count AS reporting_hosts

To get the total number of assets I have, I use a lookup to my asset file
| inputlookup assetinventory | stats count AS total_assets

Both of these work fine in isolation, but what I cant figure out is how I can use both searches at the same time, and return a stacked chart (or even just a percentage single value would be fine).

Regards
Derek.

0 Karma
Reply

davebrooking
Contributor
‎03-11-2014 07:02 AM

Hi Derek

As both searches return a single value, you could use appendcols to associate the results from both queries, so something like


| metadata type=hosts index=* 
| stats count AS reporting_hosts 
| appendcols [| inputlookup assetinventory | stats count AS total_assets] 
| eval perc=reporting_hosts/total_assets*100

Dave

Reply

DerekKing
Path Finder
‎03-11-2014 07:26 AM

Thanks Dave, Exactly what I was looking for,

Derek.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-11-2014 05:20 AM

Hi DereckKing,

you could do something like this:

| metadata type=hosts index=* | stats count(host) as myCount | eval key="foo" | lookup assetinventory key as key OUTPUT value AS newCount | eval myPerc=myCount*100/newCount | table myCount myPerc

I did setup a lookup based on the following dummy lookup file:

key,value
foo,30

this is needed to do some dummy lookup and will get back the total number of your assetinventory. The lookup file can be updated on a nightly base by running a saved search which will search all reporting hosts and updates the lookup with outputlookup

There is probably some other way to achieve this, but this will get you started.

cheers, MuS

0 Karma
Reply

DerekKing
Path Finder
‎03-11-2014 07:26 AM

Thanks Mus - that did indeed get me started.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...