Solved: How can I display the count of host in the header?

lucien62 · ‎03-22-2018

Hello,

First of all I'm a splunk noob, I just got started and i'm learning...
I have a simple search that returns a timestamp for each host:

host       _time
x          2018-03-22 21:50
y          2018-03-22 21:55
z          2018-03-22 22:00

I'd like to display the count of host in the header of table like this:

host(3)    _time
x          2018-03-22 21:50
y          2018-03-22 21:55
z          2018-03-22 22:00

How could I do that?
(Splunk 7)

maciep · ‎03-22-2018

I'm not sure that is very straight-forward in Splunk, so the search may be a bit convoluted. Do you want that count to be unique hosts in the lists? Or should it essentially be a count of rows in the results?

Maybe something like this?

<your search so far>
| eventstats dc(host) as num_hosts
| eval "host ({num_hosts})" = host
| table "host *" _time

View solution in original post

maciep · ‎03-22-2018

I'm not sure that is very straight-forward in Splunk, so the search may be a bit convoluted. Do you want that count to be unique hosts in the lists? Or should it essentially be a count of rows in the results?

Maybe something like this?

<your search so far>
| eventstats dc(host) as num_hosts
| eval "host ({num_hosts})" = host
| table "host *" _time

lucien62 · ‎03-23-2018

Thx, it did it !

How can I display the count of host in the header?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!