I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):
05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"
I am wanting the chart to look someting like this:
"VMHostModel" "Host Count" "VM Count"
ProLiant BL685c G1 400 4000
ProLiant BL465c G1 500 5000
ProLiant BL460c G1 200 2000
Here is what I have so far:
source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel
But right now it looks like:
"VMHostModel" "Host Count" "VM Count"
ProLiant BL685c G1 4000 4000
ProLiant BL465c G1 5000 5000
ProLiant BL460c G1 2000 2000
Suggestions please! 🙂
Instead of count, try using dc.
source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel
You nailed it. Thank you! That makes a lot of sense actually now that I see it.