Summary Index and timechart by host

tmurray3 · ‎02-18-2014

I have created a saved search which runs once an hour and records to a summary index. The search allows me to determine the number of transactions per second by host.

index=data "Start::" | bucket _time span=1s | sistats count by _time,host

From the summary index, I can create a report which gives me average, max, min, total count by the hour for all hosts.

index=summary report="summary_by_seconds"| timechart span=1s count as count |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour

However, I would also like to provide the same report for each host. I cannot figure out what the exact query should be. I have added the by host to the query, but no luck.

The summary contains host info:

02/18/2014 13:59:59 -0500, search_name=SummaryTPS, search_now=1392753600.000, info_min_time=1392746400.000, info_max_time=1392750000.000, info_search_time=1392753661.356, orig_host=v0305, psrsvd_gc=1, psrsvd_v=1, report="summary_by_seconds"

Any ideas?

Thanks in advance for your assistance!!!!

somesoni2 · ‎02-18-2014

Try this

index=summary report="summary_by_seconds"| stats count by host,_time  |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour by host

somesoni2 · ‎02-18-2014

great. Please close the question if there are no followup questions.

tmurray3 · ‎02-18-2014

Thanks, that worked perfectly.

Summary Index and timechart by host

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms