Splunk Search

Summary Index and timechart by host

tmurray3
Path Finder

I have created a saved search which runs once an hour and records to a summary index. The search allows me to determine the number of transactions per second by host.

index=data "Start::" | bucket _time span=1s | sistats count by _time,host

From the summary index, I can create a report which gives me average, max, min, total count by the hour for all hosts.

index=summary report="summary_by_seconds"| timechart span=1s count as count |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour

However, I would also like to provide the same report for each host. I cannot figure out what the exact query should be. I have added the by host to the query, but no luck.

The summary contains host info:

02/18/2014 13:59:59 -0500, search_name=SummaryTPS, search_now=1392753600.000, info_min_time=1392746400.000, info_max_time=1392750000.000, info_search_time=1392753661.356, orig_host=v0305, psrsvd_gc=1, psrsvd_v=1, report="summary_by_seconds"

Any ideas?

Thanks in advance for your assistance!!!!

Tags (2)
0 Karma

somesoni2
Revered Legend

Try this

index=summary report="summary_by_seconds"| stats count by host,_time  |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour by host

somesoni2
Revered Legend

great. Please close the question if there are no followup questions.

0 Karma

tmurray3
Path Finder

Thanks, that worked perfectly.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...