Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get a progressive chart of hosts added over time using the metadata command firstTime field

hartfoml
Motivator
‎08-12-2015 08:12 AM

I want to draw a chart of hosts added over time so that I can see at the beginning zero hosts and at the end 3,685 hosts. I would like to do this using the firstTime field from | metadata type=hosts

I have this search | metadata type=hosts | eval Date=strftime(firstTime,"%Y-%m-%d") | fields host Date but it is just a search of number of hosts added each day and not progressive over time.

I have this search index=_internal hostname="*" component="Metrics" | timechart span=d dc(hostname) from Answers, but it is using the metrics logs and takes too long over a large number of days.

I would like a count to date from the beginning for each day of my search.

Like
(day 1 count = 5)
(day 2 count = 5 + day1)
(day 3 count = 5 + day2)
and on an on.

Thanks for any help.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-12-2015 08:27 AM

Use streamstats:

| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-12-2015 08:31 AM

This should do the trick.

| metadata type=hosts index=*| eval _time=firstTime | fields _time host | timechart span=1d dc(host) as Hosts | makecontinuous | eval Hosts=coalesce(Hosts,0) | accum Hosts
Reply
Solved! Jump to solution

kiran_mh
Explorer
‎12-19-2016 10:45 PM

Hi somesoni2,

Using your query is it possible to get the hosts name as well?

We want to know which hosts were added in the last 7 days , a report to be generated weekly once which gives us the list of hosts which were added in the last 7 days.

Thanks in Advance

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎08-12-2015 08:45 AM

This did a great job and I am still struggling to understand the code but it had a very different result than the search above. Thanks so much for your contribution it is a great learning code for me to try on something else. Thanks Again for the help.

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-12-2015 08:27 AM

Use streamstats:

| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

hartfoml
Motivator
‎08-12-2015 08:43 AM

This is a very cool chart. thanks so much @diogofgm this was more than I was hoping for. Every Splunk Admin should have this chart to show growth and assimilation. Resistance is futile 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...