I want to draw a chart of hosts added over time so that I can see at the beginning zero hosts and at the end 3,685 hosts. I would like to do this using the firstTime
field from | metadata type=hosts
I have this search | metadata type=hosts | eval Date=strftime(firstTime,"%Y-%m-%d") | fields host Date
but it is just a search of number of hosts added each day and not progressive over time.
I have this search index=_internal hostname="*" component="Metrics" | timechart span=d dc(hostname)
from Answers, but it is using the metrics logs and takes too long over a large number of days.
I would like a count to date
from the beginning for each day of my search.
Like
(day 1 count = 5)
(day 2 count = 5 + day1)
(day 3 count = 5 + day2)
and on an on.
Thanks for any help.
Use streamstats:
| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
This should do the trick.
| metadata type=hosts index=*| eval _time=firstTime | fields _time host | timechart span=1d dc(host) as Hosts | makecontinuous | eval Hosts=coalesce(Hosts,0) | accum Hosts
Hi somesoni2,
Using your query is it possible to get the hosts name as well?
We want to know which hosts were added in the last 7 days , a report to be generated weekly once which gives us the list of hosts which were added in the last 7 days.
Thanks in Advance
This did a great job and I am still struggling to understand the code but it had a very different result than the search above. Thanks so much for your contribution it is a great learning code for me to try on something else. Thanks Again for the help.
Use streamstats:
| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
This is a very cool chart. thanks so much @diogofgm this was more than I was hoping for. Every Splunk Admin should have this chart to show growth and assimilation. Resistance is futile 🙂