I am indexing results from facter which logs information about each host. I can get the most up to date list of these system properties by running
sourcetype="puppet-facts" | dedup host
This would return a single event for each host. My question is, how would I generate a table that would include a record for each host, and then columns consisting of the fields?
sourcetype=puppet-facts
| stats
first(field1) as field1
first(field2) as field2
first(field3) as field3
count
sum(field4) as total_amt
...
by host
sourcetype=puppet-facts
| stats
first(field1) as field1
first(field2) as field2
first(field3) as field3
count
sum(field4) as total_amt
...
by host
sourcetype=puppet-facts | dedup host | table *
This works out nicely if I have a small amount of fields to create the table as I described. Do you know of a way to do the same thing for all fields? Other than just hardcoding it into the searchstring?
Let's assume you have multiple fields values in your "puppet-facts" including duration and status. To chart any of these in combination with host, you could do the following search:
sourcetype="puppet-facts" | dedup host | chart count by host,duration,status
The above search uses the chart command to create a listing of the vent count with the host, duration, and status fields.