Splunk Search

help on stats(dc) command

jip31
Builder

hello

I use the search below in order to display cpu using is > to 80% by host and by process-name
So a same host can have many process where cpu using is > to 80%

index="x" sourcetype="y" process_name=* 
| where process_cpu_used_percent>80 
| table host process_name process_cpu_used_percent

Now I need to count the number of host which have a process_name using more than 80% of CPU
If the same host has many process > to 80% I want to count only one host
I dont succeed to do this
could you help me please??

Tags (1)
0 Karma
1 Solution

pkeenan87
Communicator

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

View solution in original post

0 Karma

Vijeta
Influencer

@jip31 - Can you please share sample data and expected sample output .

0 Karma

pkeenan87
Communicator

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

View solution in original post

0 Karma

jip31
Builder

it doesnt works
I have always different events for a same host when an host has many process_name >80%
index=x" sourcetype="perfmonmk:process" process_name=* process_cpu_used_percent>80
| stats dc(host)

I just want to count 1 event when an host has one or many process_name >80%
could you help me please?

0 Karma

Vijeta
Influencer

@jip31 Not exactly sure what you looking for but can you try below. Also what is the final output you need host field and count or more fields ?

  index="x" sourcetype="y" process_cpu_used_percent>80|stats count by host
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!