Match fields in chart

jkcouch · ‎05-22-2012

I am a Splunk newcomer. Not sure if this is a good title but here is the data set (11,000 events, one for each VM):

05/22/2012 08:49:25 GMT hostname Cluster="tempcluster" CpuLimitMhz="-1" CpuReservationMhz="0" CpuSharesLevel="Normal" MemLimitMB="-1" MemReservationMB="0" MemSharesLevel="Normal" NumCpuShares="2000" VCenter="vcenter" VirtualMachineId="VirtualMachine-vm-000" VMHardwareVersion="v7" VMHost="esx001.tmpdmn.com" VMHostModel="ProLiant BL685c G1" VMHostState="Connected" VMHostVersion="VMware ESXi 4.1.0 build-433742" VMName="tmpvmname" VMToolsVersion="8194" VMToolsVersionStatus="guestToolsNeedUpgrade" ScriptRunTime="129821436005339451"

I am wanting the chart to look someting like this:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 400 4000

ProLiant BL465c G1 500 5000

ProLiant BL460c G1 200 2000

Here is what I have so far:

source="PS_VM_Config" | dedup VMName date_mday | chart count(VMHostModel) AS "Host Count", count(VMName) As "VM Count" by VMHostModel

But right now it looks like:

"VMHostModel" "Host Count" "VM Count"

ProLiant BL685c G1 4000 4000

ProLiant BL465c G1 5000 5000

ProLiant BL460c G1 2000 2000

Suggestions please! 🙂

Damien_Dallimor · ‎05-22-2012

Instead of count, try using dc.

source="PS_VM_Config" | chart dc(VMHost) AS "Host Count", dc(VMName) As "VM Count" by VMHostModel

jkcouch · ‎05-22-2012

You nailed it. Thank you! That makes a lot of sense actually now that I see it.

Match fields in chart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!