Re: Is it possible to group results by their tag?

richnavis · ‎10-17-2011

I'd have a number of servers that are tagged with a category of the system owner. Can I use these tags to group the reports?

Servers 1 to 10 have a tag named "systems"
Servers 11 to 20 have a tag named "database"
Servers 21 to 30 have a tag named "database"

Is it possible to write a search that groups results by tag?

For example, if I was searching for the number of errors on all these servers, it would return something like this..

Tag Count
systems 22
database 18
network 8

gkanapathy · ‎10-17-2011

... | stats count by host::tag

crazyeva · ‎10-21-2013

Why it doesn't work? I tried and get what I wanted.
But I have question: If a server was tagged "systems" and meanwhile "database", will that event be counted twice when "stats count by tag::host"?

asdfasdf12321 · ‎03-17-2015

Yes, it would be counted twice in this case.

richnavis · ‎10-19-2011

Although this doesn't return an error, it also doesn't return any results.

gkanapathy · ‎10-19-2011

my mistake. i meant ... | stats count by tag::host

richnavis · ‎10-19-2011

Thanks for the reply, but when I attempt this, I get Error in 'stats' command: The argument 'host::tag' is invalid. I wasn't sure if you meant this literally, or if tag should have been replaced by the name of the tag. I tried the tag name "Owner" it the same error occurred.. I'm running 4.2.1.. Perhaps this is no longer supported?

Is it possible to group results by their tag?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024