Splunk Search

Sum max(count) from multiple hosts

philallen1
Path Finder

Hi

I have 4 hosts. Each host collects error logs. Each log consists of a Counter, like so:

2013-12-02 11:23:26,512 INFO  type=COUNTER error count=1

So every time there is an error, the count=n part of the log increases.

I want to plot the amount of errors over time. I've set up a field extraction, called ErrorCount, for the number within "count=n". Using max(count), I have used the following search:

"type=COUNTER" ErrorCount=* host=lonrs10000 | timechart max(ErrorCount)

However, I have 3 further hosts, with their own counters running. How can I edit my search to include the other 3 hosts data?

E.g. for a specific day:

  • the count of errors on host lonrs10000 = 5

  • the count of errors on host lonrs20000 = 4

  • the count of errors on host lonrs30000 = 2

  • the count of errors on host lonrs40000 = 0

The total for this specific day should be 11. I am looking to get the total number of errors as a result from my search.

.

Thanks a lot,

Phil

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors 

philallen1
Path Finder

This works. Thanks a lot. The timepicker on my dashboard still works too - although, obviously, won't display the chart very well on any time range less than a day.

0 Karma

gfuente
Motivator

You are right,

You can get it with the | adcoltotals, or also this way:

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) as tempvalue by host | timechart sum(tempvalue)

Try it and let me know if it works

0 Karma

philallen1
Path Finder

Hi

Thanks for your help here, but I can't seem to get it working. When I use the query you suggested it doesn't give me any results. I understand what you're trying to do, but it just doesn't work for some reason. Any further ideas?

0 Karma

gfuente
Motivator

Hello

Try this:

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000  | timechart max(ErrorCount) by host

regards

0 Karma

philallen1
Path Finder

If I remove the 'by host' then the results from the search will be just the greatest value from the 4 hosts.
i.e. lonrs10000 = 5, lonrs20000 = 4, lonrs30000 = 2, lonrs30000 = 0
The answer would be 5, with your solution.

I need the answer to sum all of them, so the answer should be 5+4+2+0 = 11
I hope that makes sense?

0 Karma

gfuente
Motivator

Hello

I though you needed the data per host. If you just need the total remove the last part: "by host"

EDIT: if you need both things, add this to the first query i gave you: | addcoltotals

0 Karma

philallen1
Path Finder

Hi, thanks for your response. The search that you added doesn't add the numbers together though. It displays them as 4 separate values?
i.e. lonrs10000 = 5, lonrs20000 = 4... etc. Rather than total = 11.
Do you see what I mean?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...