I have the following separate event logs in Splunk:
"10/3/2016 11:30:24 AM","42646.7711166204","mail-server-01","mail-server-01","emails Received","emails Received","0 #","100.00"
"10/3/2016 11:30:50 AM","42646.7714199537","mail-server-01","mail-server-01","cpu","cpu","0 #","25.00"
They are different log events, but have the same fields:
I'd like to make a table to show the following (but having hard time with the same field values):
|mail-server-01 |100.00 |25.00 |
Try this
base search | chart values(value_raw) as values over host by sensor
*OR*
base search | chart avg(value_raw) as values over host by sensor
Try this
base search | chart values(value_raw) as values over host by sensor
*OR*
base search | chart avg(value_raw) as values over host by sensor
Thank you sundareshr! This will work, but if I had multiple sensors that I don't want as part of the table and I only want a subset...is there a better way than doing a query like this?
base search | NOT "disk-free" NOT "mem-usage" | chart values(value_raw) as values over host by sensor
Yes, you can do
base search NOT (sensor="disk-free" OR sensor="mem-usage") | chart values(value_raw) as values over host by sensor