Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sum field in multiple hosts

nirt
Path Finder
‎11-07-2012 10:38 PM

Hi,
I want to sum an event that arrives from each host(total 3) and then graph it. I could not find the option on how to do it

Thanks in advance for your assistance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2012 10:57 PM

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-08-2012 12:38 AM

I have changed the timechart to the following and it seems to give me the result I want:
timechart span=10m per_minute(UsersCount)

Thanks

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎11-07-2012 11:01 PM

Thanks for the quick reply, the timechart gives me each host in it's own line - how can i sum it into one line?
I used this:
index="short_stats" host="XX_users" OR host="YY_users" OR host="XY_users" earliest=-0d@d latest=+1d@d | timechart span=30m max(UsersCount) by host

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...