Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match fields in chart

jkcouch
Explorer
‎05-22-2012 09:14 PM

I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):

05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"

I am wanting the chart to look someting like this:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 400 4000

ProLiant BL465c G1 500 5000

ProLiant BL460c G1 200 2000

Here is what I have so far:

source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel

But right now it looks like:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 4000 4000

ProLiant BL465c G1 5000 5000

ProLiant BL460c G1 2000 2000

Suggestions please! 🙂

Tags (2)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎05-22-2012 09:33 PM

Instead of count, try using dc.

source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
Reply

jkcouch
Explorer
‎05-22-2012 10:02 PM

You nailed it. Thank you! That makes a lot of sense actually now that I see it.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...