Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: chart by source and hostname
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I am trying to correlate hostnames to multiple sources (4 .csv host files) to see if I can find where the same hostnames show up in those sources. I have the data into Splunk and have individually done initial searches through each of the host files to give myself a clean list of hostnames but I don't quite know how to sort through the resulting data to chart which hostnames appear in what sources.
index=assets source="/scratch/assets/DG-Windows.csv" | dedup MACHINE_NAME
index=assets source="/scratch/assets/DG-Mac.csv" | dedup MACHINE_NAME
index=assets source="/scratch/assets/Altiris.csv | dedup System Name
index=assets source="/scratch/assets/Asset-Mgmt.csv" | dedup HostName
Does anyone know how this could be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me. It's kind of cludgey looking but it gave me what I needed. Check it out:
index=assets source="/scratch/cadence_assets/*.csv" (NOT "System Type"="Virtual" NOT "System Type"="Server" NOT "System Type"="Thin Client") | rename "System Name" as MACHINE_NAME | rename "HostName" as MACHINE_NAME | dedup source MACHINE_NAME | chart count over MACHINE_NAME by source
Thank you all very much for your excellent suggestions and helpful queries!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me. It's kind of cludgey looking but it gave me what I needed. Check it out:
index=assets source="/scratch/cadence_assets/*.csv" (NOT "System Type"="Virtual" NOT "System Type"="Server" NOT "System Type"="Thin Client") | rename "System Name" as MACHINE_NAME | rename "HostName" as MACHINE_NAME | dedup source MACHINE_NAME | chart count over MACHINE_NAME by source
Thank you all very much for your excellent suggestions and helpful queries!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats exactly the information and format I am looking for! The search by somesoni2 is pretty close but it only seems to identify hosts that are in DG-Windows.csv OR DG-Mac.csv. It doesn't seem to identify any other .csv files in which the assets reside (which is the case). Thank you both for your valuable assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=assets source="/scratch/assets/DG-Windows.csv" OR source="/scratch/assets/DG-Mac.csv" OR source="/scratch/assets/Altiris.csv" OR source="/scratch/assets/Asset-Mgmt.csv"
| eval MACHINE_NAME=coalesce(coalesce(MACHINE_NAME,HostName),'System Name') | dedup source MACHINE_NAME | chart count over MACHINE_NAME by source
This will give you chart for which host appears in which source. Select the type of chart as stacked column chart to see the host on x-axis with name of source at columns.
Updated
Give this a try
|multisearch [search index=assets source="/scratch/assets/DG-Windows.csv" | dedup MACHINE_NAME][search index=assets source="/scratch/assets/DG-Mac.csv" | dedup MACHINE_NAME ][search index=assets source="/scratch/assets/Altiris.csv | dedup "System Name" |rename "SystemName" as MACHINE_NAME] [searchindex=assets source="/scratch/assets/Asset-Mgmt.csv" | dedup HostName | rename HostName as MACHINE_NAME] | chart count over MACHINE_NAME by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting the following error when running this query:
Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that you are clear with your use case. Since you have done dedup the maximum possible count for any host after |dedup MACHINE_NAME | stats count by MACHINE_NAME will be 1. When you put it table format, the values will be either 0 or 1. Something like below table.
Host_Name Source1 Source2 Source3 Source4
A 1 1 0 0
B 0 0 1 0
If your need is like above table then we can help you with the searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And the field it extracts is "System Name".
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Essentially, I'm trying to find a way to show which hostname is in which source. I'm imagining a chart where rows are hostnames and columns are the source.
Does that make sense?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to chart hostname count VS source?
Also, i assume in the search #3 it is SystemName
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
