Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match fields in chart

jkcouch
Explorer
‎05-22-2012 09:14 PM

I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):

05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"

I am wanting the chart to look someting like this:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 400 4000

ProLiant BL465c G1 500 5000

ProLiant BL460c G1 200 2000

Here is what I have so far:

source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel

But right now it looks like:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 4000 4000

ProLiant BL465c G1 5000 5000

ProLiant BL460c G1 2000 2000

Suggestions please! 🙂

Tags (2)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎05-22-2012 09:33 PM

Instead of count, try using dc.

source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
Reply

jkcouch
Explorer
‎05-22-2012 10:02 PM

You nailed it. Thank you! That makes a lot of sense actually now that I see it.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...