Re: Summary Index and timechart by host

tmurray3 · ‎02-18-2014

I have created a saved search which runs once an hour and records to a summary index. The search allows me to determine the number of transactions per second by host.

index=data "Start::" | bucket _time span=1s | sistats count by _time,host

From the summary index, I can create a report which gives me average, max, min, total count by the hour for all hosts.

index=summary report="summary_by_seconds"| timechart span=1s count as count |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour

However, I would also like to provide the same report for each host. I cannot figure out what the exact query should be. I have added the by host to the query, but no luck.

The summary contains host info:

02/18/2014 13:59:59 -0500, search_name=SummaryTPS, search_now=1392753600.000, info_min_time=1392746400.000, info_max_time=1392750000.000, info_search_time=1392753661.356, orig_host=v0305, psrsvd_gc=1, psrsvd_v=1, report="summary_by_seconds"

Any ideas?

Thanks in advance for your assistance!!!!

somesoni2 · ‎02-18-2014

Try this

index=summary report="summary_by_seconds"| stats count by host,_time  |timechart span=1h avg(count) as avgcount max(count) as maxcount min(count) as mincount, sum(count) as totalcountperhour by host

somesoni2 · ‎02-18-2014

great. Please close the question if there are no followup questions.

tmurray3 · ‎02-18-2014

Thanks, that worked perfectly.

Summary Index and timechart by host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation