Solved: Re: Sum max(count) from multiple hosts

philallen1 · ‎12-03-2013

Hi

I have 4 hosts. Each host collects error logs. Each log consists of a Counter, like so:

2013-12-02 11:23:26,512 INFO  type=COUNTER error count=1

So every time there is an error, the count=n part of the log increases.

I want to plot the amount of errors over time. I've set up a field extraction, called ErrorCount, for the number within "count=n". Using max(count), I have used the following search:

"type=COUNTER" ErrorCount=* host=lonrs10000 | timechart max(ErrorCount)

However, I have 3 further hosts, with their own counters running. How can I edit my search to include the other 3 hosts data?

E.g. for a specific day:

the count of errors on host lonrs10000 = 5
the count of errors on host lonrs20000 = 4
the count of errors on host lonrs30000 = 2
the count of errors on host lonrs40000 = 0

The total for this specific day should be 11. I am looking to get the total number of errors as a result from my search.

.

Thanks a lot,

Phil

somesoni2 · ‎12-03-2013

Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors

View solution in original post

somesoni2 · ‎12-03-2013

Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors

philallen1 · ‎12-03-2013

This works. Thanks a lot. The timepicker on my dashboard still works too - although, obviously, won't display the chart very well on any time range less than a day.

gfuente · ‎12-03-2013

You are right,

You can get it with the | adcoltotals, or also this way:

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) as tempvalue by host | timechart sum(tempvalue)

Try it and let me know if it works

philallen1 · ‎12-03-2013

Hi

Thanks for your help here, but I can't seem to get it working. When I use the query you suggested it doesn't give me any results. I understand what you're trying to do, but it just doesn't work for some reason. Any further ideas?

gfuente · ‎12-03-2013

Hello

Try this:

"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000  | timechart max(ErrorCount) by host

regards

philallen1 · ‎12-03-2013

If I remove the 'by host' then the results from the search will be just the greatest value from the 4 hosts.
i.e. lonrs10000 = 5, lonrs20000 = 4, lonrs30000 = 2, lonrs30000 = 0
The answer would be 5, with your solution.

I need the answer to sum all of them, so the answer should be 5+4+2+0 = 11
I hope that makes sense?

gfuente · ‎12-03-2013

Hello

I though you needed the data per host. If you just need the total remove the last part: "by host"

EDIT: if you need both things, add this to the first query i gave you: | addcoltotals

philallen1 · ‎12-03-2013

Hi, thanks for your response. The search that you added doesn't add the numbers together though. It displays them as 4 separate values?
i.e. lonrs10000 = 5, lonrs20000 = 4... etc. Rather than total = 11.
Do you see what I mean?

Sum max(count) from multiple hosts

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?