I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):
05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"
I am wanting the chart to look someting like this:
"VMHostModel"        "Host Count"     "VM Count"
ProLiant BL685c G1      400              4000
ProLiant BL465c G1      500              5000
ProLiant BL460c G1      200              2000
Here is what I have so far:
source="PS_VM_Config" | dedup VMName date_mday |  chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel
But right now it looks like:
"VMHostModel"        "Host Count"     "VM Count"
ProLiant BL685c G1      4000              4000
ProLiant BL465c G1      5000              5000
ProLiant BL460c G1      2000              2000
Suggestions please! 🙂
 
					
				
		
Instead of count, try using dc.
source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
You nailed it. Thank you! That makes a lot of sense actually now that I see it.
