Refine your search:

We have some timecharts that display information collected by Server_IP, using searches similar to this

... | timechart sum(Bytes) by Server_IP

The problem is the IP values are reasonably meaningless to the people using this chart, so we'd like to display the hostname of the server associated with the IP. We've looked at the "charting.legend.labels" property but that is a statically defined list of values, and depending on time range selection and other values the list of IPs being displayed will change, as will the order of the IPs. So we are looking for a way to do what amounts to a lookup of each IP into a table that returns the Hostname, and use the Hostname as the label displayed in the legend. Can this be done?

asked 21 Oct '11, 13:11

beaumaris's gravatar image

accept rate: 33%

2 Answers:

You can do either:

  • Perform the lookup before the aggregation (i.e., before timechart):

    ... | lookup iptoname Server_IP OUTPUT Server_Name | timechart sum(Bytes) by Server_Name
  • Use stats as the aggregator , and do it after stats

    ... | bucket _time | stats sum(Bytes) by _time Server_IP | lookup iptoname Server_IP OUTPUT Server_Name | xyseries _time Server_Name sum(Bytes)

since you can replicate timechart <function> by <field> using bucket _time | stats <function> by _time <field> | xyseries _time <field> <function>


answered 22 Oct '11, 17:29

gkanapathy's gravatar image

gkanapathy ♦
accept rate: 41%

edited 22 Oct '11, 17:34

Are the host values not correct in the host field? Then it would just be

    ... | timechart sum(bytes) by host

answered 21 Oct '11, 15:28

jflomenberg's gravatar image

accept rate: 66%

The data must be collected by IP, which winds up in summary indexes in a field called "Server_IP". Therefore we are stuck with trying to transform the IP into the corresponding server name when displaying the legends.

(21 Oct '11, 20:11) beaumaris

I see. Can you add the host name to the summary index? If not, you can do a lookup but you will first need to populate a csv file with the IP, hostname pairs. If you still have the raw data this should be straight forward to do with the outputcsv command. This approach has its limitations as it only works well when the IPs and hostnames are not terribly dynamic.

(21 Oct '11, 21:42) jflomenberg
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 21 Oct '11, 13:11

Seen: 1,688 times

Last updated: 22 Oct '11, 17:34

Copyright © 2005-2014 Splunk Inc. All rights reserved.