Solved: Re: How can I combine stats count by host into a s...

burwell · ‎02-01-2018

I have a search that looks like

index=foo value=bar | stats count by host

Imagine you might get results like

host     count
host1   123
host2    456
host3    789

We want to alert when the count is greater than some threshold and I can do that.

What I also want to do is to create a new field that we can use an alert actions token.

So imagine in the above example we had a new field called badhosts whose value was the concatenation of the hosts with their count. For example "host1:123 host2:456 host3:789"

Each host is represented by its count.

The reason to do this is so I can then use $result.badhosts$ as a token and we can see all the hosts and their values.

How to do this? Thanks.

efavreau · ‎02-01-2018

@burwell Sounds like you're looking for sistats

index=foo value=bar | sistats values(host) as hosts

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

efavreau · ‎02-01-2018

@burwell Sounds like you're looking for sistats

index=foo value=bar | sistats values(host) as hosts

###

If this reply helps you, an upvote would be appreciated.

burwell · ‎02-01-2018

Perfect! Thanks!

How can I combine stats count by host into a single string to be used in an alert actions token?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!