Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match fields in chart

jkcouch
Explorer
‎05-22-2012 09:14 PM

I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):

05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"

I am wanting the chart to look someting like this:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 400 4000

ProLiant BL465c G1 500 5000

ProLiant BL460c G1 200 2000

Here is what I have so far:

source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel

But right now it looks like:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 4000 4000

ProLiant BL465c G1 5000 5000

ProLiant BL460c G1 2000 2000

Suggestions please! 🙂

Tags (2)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎05-22-2012 09:33 PM

Instead of count, try using dc.

source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
Reply

jkcouch
Explorer
‎05-22-2012 10:02 PM

You nailed it. Thank you! That makes a lot of sense actually now that I see it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...