I am still learning all the nice functionality in Splunk, but have some trouble with this.
Eks struktur:
Aug 05 09:27:33 palito dog
Here I got two interesting fields:
host=palito
info=dog
Sample data:
Aug 05 09:27 palito dog
Aug 05 09:28 habo cat
Aug 05 09:29 jago horse
Aug 05 09:30 palito cat
Aug 05 09:31 palito cat
Aug 05 09:32 habo cat
Aug 05 09:33 jago horse
Aug 05 09:34 palito horse
Aug 05 09:35 habo dog
From this I like to get the graph sorted on the info (animal) so I get top 5 animals using this:
* | top limit=5 info
This give three column, cat=4, dog=2 and horse=3
So far I am full control of the situation.
But then I like to also see the representation of the hosts, so these data gives:
cat 4 palito 2 habo 2
dog 2 palito 1 habo 1
horse 3 palito 1 jago 2
I know how to select format-stacked, but not how to get 3 columns with 4 cat, where I color separate it with 2 palito, and 2 habo etc.
So It should be 3 columns with percent host showing in each of them.
I tried, but not working
* | top limit=5 info by host
Example on how the three column should look like:
h
h j
p h j
p p p
--------------------
cat dog horse
Where p,h, and j are different colors.
Try something like this
* | chart count over info by host | addtotals fieldname="Total" | table info Total * | sort - Total | head 5
This should give you a nice table with info (animal name) as first column, Total (total count) and count by host (as separate columns). Just select stacked option in the visualization and you're set.
Thank you, this is relay close to what I need.
To not add Total to every column I removed it, so it looks like this:
* | chart count over info by host | addtotals fieldname="Total" | table info Total * | sort - Total | head 5 | field - Total
But I have a problem with addtotals. It sums up all the fields, that is OK, but if the field name is a number, It add the number of the field name to the Total. For me that seems to be a bug. Is three a way around it?
This is what I like to get:
info\host palito habo jago Total
-----------------------------------------
cat 2 2 4
dog 1 1 2
82 1 2 3
This is what Splunk gives, look at Total for the 82
info\host palito habo jago Total
-----------------------------------------
cat 2 2 4
dog 1 1 2
82 1 2 85
Hi,
Try this:
| timechart count by host limit=10
If you are on search page:
1. Goto Visualization and select bar chart
2. Select format button
3. Select stack mode as: Stacked
This does not help.
It only shows hits over time for each host. I am not interested in time.
I need to see number of each type of animals (info) and each column should show stacked hosts.