Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to separate a search by groups of hosts?

meleschi
Explorer
‎04-24-2017 01:21 PM

Hello!

If I run this query, I'll get a graph of the # of queries over time aggregated for all of my hosts.

host=* | timechart per_minute(Query)

If I run this query, I'll have a similar graph with one line shown per host.

host=* | timechart per_minute(Query) by host

Is there any way to graph by groups of hosts? Say, by the domain of the server.

example:

host=* | timechart per_minute(Query) by group (a, b, c) where group a like "*.a.com" and group b like "*.b.com" and group c like "*.c.com"
0 Karma
Reply

woodcock
Esteemed Legend
‎11-22-2019 10:38 PM

Like this:

 host=*
| rex field=host mode=sed "s/^[^\.]+/\*/"
| timechart per_minute(Query) BY host
0 Karma
Reply

meleschi
Explorer
‎11-22-2019 02:05 PM

Thank you for both answers above. I ended up placing some data in a lookup table, and using that to break apart servers by region, type, etc.

0 Karma
Reply

somesoni2
Revered Legend
‎04-24-2017 01:37 PM

You can create a field with those criteria/specification and they group by those.
e.g.

 host=* | eval group=case(like(host,"%.a.com"),"group a",like(host,"%.b.com"),"group b",...other sets here, 1=1,"defauly") | timechart per_minute(Query) by group

If you're only interested in group a/b/c (you don't want to statistics for other domains, add them as filter in the base search.

 host=*.a.com OR host=*.b.com OR host=*.c.com  | eval group=case(like(host,"%.a.com"),"group a",like(host,"%.b.com"),"group b",...other sets here, 1=1,"defauly") | timechart per_minute(Query) by group
Reply

lycollicott
Motivator
‎04-24-2017 01:25 PM

Off the top of my head, I would extract a field to be the domain and group by that.

So, something like:

hosts=* 
| rex field=host "\.(?\w+\.\w+)"
| timechart span=1m count by domain_name
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...