Splunk Search

help on stats(dc) command

jip31
Motivator

hello

I use the search below in order to display cpu using is > to 80% by host and by process-name
So a same host can have many process where cpu using is > to 80%

index="x" sourcetype="y" process_name=* 
| where process_cpu_used_percent>80 
| table host process_name process_cpu_used_percent

Now I need to count the number of host which have a process_name using more than 80% of CPU
If the same host has many process > to 80% I want to count only one host
I dont succeed to do this
could you help me please??

Tags (1)
0 Karma
1 Solution

pkeenan87
Communicator

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

View solution in original post

0 Karma

Vijeta
Influencer

@jip31 - Can you please share sample data and expected sample output .

0 Karma

pkeenan87
Communicator

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

0 Karma

jip31
Motivator

it doesnt works
I have always different events for a same host when an host has many process_name >80%
index=x" sourcetype="perfmonmk:process" process_name=* process_cpu_used_percent>80
| stats dc(host)

I just want to count 1 event when an host has one or many process_name >80%
could you help me please?

0 Karma

Vijeta
Influencer

@jip31 Not exactly sure what you looking for but can you try below. Also what is the final output you need host field and count or more fields ?

  index="x" sourcetype="y" process_cpu_used_percent>80|stats count by host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...