Re: How to concatenate events from multiple hosts ...

sekhar463 · ‎08-05-2022

Hai All,

we have events from different hosts with same name. any search query to add them in single host field

please suggest

dallvcrfix1p	1913
dallvcrfix1p.ops.invesco.net	20

sekhar463 · ‎08-05-2022

index=indexname addtotals row=f col=t labelfield=host sum(host)

no results i am trying this

Siddharth · ‎08-05-2022

Can you send me the query how did you get this result

dallvcrfix1p	1913
dallvcrfix1p.ops.invesco.net	20

sekhar463 · ‎08-05-2022

i m using query index=ivz_unix_linux_events |stats count by host

and in events we have hostnames with 2 hostnames so i want add count both for single filed

allhebsms1p	6434
dallhebsms1p.ops.invesco.net	41
dallvcrfix1p	1688
dallvcrfix1p.ops.invesco.net	82
dallvcrfix2p	2027
dallvcrfix2p.ops.invesco.net	20
fanlvairw1d	2773
fanlvairw1d.ops.invesco.net

martinpu · ‎08-05-2022

|rex field=host "(?<host>[^\.]+)"
 |stats count by host

Should do the trick.

sekhar463 · ‎08-08-2022

while trying with above query still i am getting hostname are not getting one

sekhar463 · ‎08-08-2022

Thanks for this

what this regex will do

index=index name |rex field=host "(?<host>[^\.]+)"
|stats count by host |dedup host

i am using this search

as based below hostnames showing for single host due to dns resolution getting like this in splunk and how we can solve this problem as single hostname

what was the workaround for to concatenate for both as single host name

dallvcrfix2p	2027
dallvcrfix2p.ops.invesco.net	20

Siddharth · ‎08-05-2022

if you just want total use this after your query

addtotals row=f col=t labelfield=host sum(field_you_want_count)

How to concatenate events from multiple hosts as single host?

join

stats

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!