Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Sum max(count) from multiple hosts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have 4 hosts. Each host collects error logs. Each log consists of a Counter, like so:
2013-12-02 11:23:26,512 INFO type=COUNTER error count=1
So every time there is an error, the count=n part of the log increases.
I want to plot the amount of errors over time. I've set up a field extraction, called ErrorCount, for the number within "count=n". Using max(count), I have used the following search:
"type=COUNTER" ErrorCount=* host=lonrs10000 | timechart max(ErrorCount)
However, I have 3 further hosts, with their own counters running. How can I edit my search to include the other 3 hosts data?
E.g. for a specific day:
the count of errors on host lonrs10000 = 5
the count of errors on host lonrs20000 = 4
the count of errors on host lonrs30000 = 2
the count of errors on host lonrs40000 = 0
The total for this specific day should be 11. I am looking to get the total number of errors as a result from my search.
.
Thanks a lot,
Phil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works. Thanks a lot. The timepicker on my dashboard still works too - although, obviously, won't display the chart very well on any time range less than a day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right,
You can get it with the | adcoltotals, or also this way:
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) as tempvalue by host | timechart sum(tempvalue)
Try it and let me know if it works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your help here, but I can't seem to get it working. When I use the query you suggested it doesn't give me any results. I understand what you're trying to do, but it just doesn't work for some reason. Any further ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Try this:
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) by host
regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I remove the 'by host' then the results from the search will be just the greatest value from the 4 hosts.
i.e. lonrs10000 = 5, lonrs20000 = 4, lonrs30000 = 2, lonrs30000 = 0
The answer would be 5, with your solution.
I need the answer to sum all of them, so the answer should be 5+4+2+0 = 11
I hope that makes sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I though you needed the data per host. If you just need the total remove the last part: "by host"
EDIT: if you need both things, add this to the first query i gave you: | addcoltotals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for your response. The search that you added doesn't add the numbers together though. It displays them as 4 separate values?
i.e. lonrs10000 = 5, lonrs20000 = 4... etc. Rather than total = 11.
Do you see what I mean?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
