Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum field in multiple hosts

nirt
Path Finder
‎11-07-2012 10:38 PM

Hi,
I want to sum an event that arrives from each host(total 3) and then graph it. I could not find the option on how to do it

Thanks in advance for your assistance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-08-2012 12:38 AM

I have changed the timechart to the following and it seems to give me the result I want:
timechart span=10m per_minute(UsersCount)

Thanks

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-07-2012 11:01 PM

Thanks for the quick reply, the timechart gives me each host in it's own line - how can i sum it into one line?
I used this:
index="short_stats" host="XX_users" OR host="YY_users" OR host="XY_users" earliest=-0d@d latest=+1d@d | timechart span=30m max(UsersCount) by host

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...