Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Generating reports where multiple number of hosts are present

shreeCS
New Member
‎09-12-2013 11:02 PM

Hi,

I have individual persons data available in the form of csv files. Here i want to generate reports on those data.So i uploaded those csv files on to splunk for indexing and creating reports.
I uploaded each person's csv files this way - Add data->From-Files&Directories -> Upload&IndexFile -> More Settings -> SourceType-> from list > csv .
So csv files are uploaded successfully.Here i made each person's data available in different host i.e.,Prson A's host as A ,person B's host as B ,person C's host as C and so on.

Here is the sample entries for person A:

 Day  Date       InTime  OutTime
 Sun  1.08.2013   8:33    17:39
 Mon  2.03.2013   8:38    17:40
 Tue  2.03.2013   8:33    19:28
 Wed  2.03.2013   8:32    17:37
        .
        .
        .

Each person is having the same fields with different values.Here I took only person A's data and calculated the difference between InTime & OutTime.The query is below:

host="A" | convert mstime(OutTime) AS otime | convert mstime(InTime) AS itime |eval durationHrs=(otime - itime )/60 | timechart values(durationHrs) As myDurationHrs

This is working fine.If i want come up with report which includes each person's data and i wanted to calculate each person's Average durationHrs (i.e.,durationHrs=(otime - itime )/60 and avg(durationHrs)),how to do that,because here i have each host representing each persons.If my persons count is more than 10 or something,how to combine them in a single query (like - host="A"host="B" host="C" ... host="Z")?
At the end i want in a chart should show the average_durationHrs for each person.

How to do this?

Tags (1)
0 Karma
Reply

gfuente
Motivator
‎09-12-2013 11:54 PM

Hello

Instead of host="A" at the beggining of the query you should use the sourcetype (that should be the same for all of them, if you indexed them right), lets say sourcetype="hostdata". Then you will be queriying all the data at the same time

And, at the end of the query you need to add the "by" clause to split the data by the criteria you want. 

...| timechart values(durationHrs) As myDurationHrs by host

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...