Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sum field in multiple hosts

nirt
Path Finder
‎11-07-2012 10:38 PM

Hi,
I want to sum an event that arrives from each host(total 3) and then graph it. I could not find the option on how to do it

Thanks in advance for your assistance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-08-2012 12:38 AM

I have changed the timechart to the following and it seems to give me the result I want:
timechart span=10m per_minute(UsersCount)

Thanks

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-07-2012 11:01 PM

Thanks for the quick reply, the timechart gives me each host in it's own line - how can i sum it into one line?
I used this:
index="short_stats" host="XX_users" OR host="YY_users" OR host="XY_users" earliest=-0d@d latest=+1d@d | timechart span=30m max(UsersCount) by host

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...