Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Sum field in multiple hosts

nirt
Path Finder
‎11-07-2012 10:38 PM

Hi,
I want to sum an event that arrives from each host(total 3) and then graph it. I could not find the option on how to do it

Thanks in advance for your assistance

Tags (1)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Sum field in multiple hosts

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

View solution in original post

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: Sum field in multiple hosts

nirt
Path Finder
‎11-07-2012 11:01 PM

Thanks for the quick reply, the timechart gives me each host in it's own line - how can i sum it into one line?
I used this:
index="shortstats" host="XXusers" OR host="YYusers" OR host="XYusers" earliest=-0d@d latest=+1d@d | timechart span=30m max(UsersCount) by host

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: Sum field in multiple hosts

nirt
Path Finder
‎11-08-2012 12:38 AM

I have changed the timechart to the following and it seems to give me the result I want:
timechart span=10m per_minute(UsersCount)

Thanks

0 Karma
Reply