Splunk Search

Howto Chart Fields by Host


I am indexing results from facter which logs information about each host. I can get the most up to date list of these system properties by running

sourcetype="puppet-facts" | dedup host

This would return a single event for each host. My question is, how would I generate a table that would include a record for each host, and then columns consisting of the fields?

0 Karma
1 Solution

Splunk Employee
Splunk Employee
| stats 
    first(field1) as field1 
    first(field2) as field2 
    first(field3) as field3
    sum(field4) as total_amt
  by host

View solution in original post

0 Karma

Splunk Employee
Splunk Employee
| stats 
    first(field1) as field1 
    first(field2) as field2 
    first(field3) as field3
    sum(field4) as total_amt
  by host
0 Karma

Splunk Employee
Splunk Employee

sourcetype=puppet-facts | dedup host | table *

0 Karma


This works out nicely if I have a small amount of fields to create the table as I described. Do you know of a way to do the same thing for all fields? Other than just hardcoding it into the searchstring?

0 Karma

Splunk Employee
Splunk Employee

Let's assume you have multiple fields values in your "puppet-facts" including duration and status. To chart any of these in combination with host, you could do the following search:

sourcetype="puppet-facts" | dedup host | chart count by host,duration,status

The above search uses the chart command to create a listing of the vent count with the host, duration, and status fields.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...