Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as ( 300 + count of events for that host)
I'm new to Splunk so not very familiar with the query language. I found this on the google and tried it...
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
... View more