Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match fields in chart

jkcouch
Explorer
‎05-22-2012 09:14 PM

I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):

05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"

I am wanting the chart to look someting like this:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 400 4000

ProLiant BL465c G1 500 5000

ProLiant BL460c G1 200 2000

Here is what I have so far:

source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel

But right now it looks like:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 4000 4000

ProLiant BL465c G1 5000 5000

ProLiant BL460c G1 2000 2000

Suggestions please! 🙂

Tags (2)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎05-22-2012 09:33 PM

Instead of count, try using dc.

source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
Reply

jkcouch
Explorer
‎05-22-2012 10:02 PM

You nailed it. Thank you! That makes a lot of sense actually now that I see it.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...