Getting Data In

How to get the top 1 data per host?

anirban_nag
Explorer

I have a log where the mount usage of every host gets logged. So there can be multiple mounts per host. The data can be following -

Host | Mount_Name | Usage
________________________________
host1 | /tmp | 90
host1 | /opt | 92
host2 | /opt | 81
host2 | /tmp | 90

So the result would be -

Host | Mount_Name | Usage
________________________________
host1 | /opt | 92
host2 | /tmp | 90

Which means for every host I need the highest mount usage.

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval _raw="Host | Mount_Name | Usage
________________________________
host1 | /tmp | 90
host1 | /opt | 92
host2 | /opt | 81
host2 | /tmp | 90" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex max_match=0 "[\r\n](?<raw>[^\r\n]+\d+)" 
| mvexpand raw
| rex max_match=0 field=raw "^(?<Host>\S+)\s+\|\s+(?<Mount_Name>\/\S+)\s+\|\s+(?<Usage>\d+)$"
| dedup Host Mount_Name
| fields Host Mount_Name Usage
| fields - _*
| eventstats max(Usage) AS max_usage BY Mount_Name
| where Usage==max_usage
| fields - max_usage
| dedup Mount_Name
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @anirban_nag,,

Try,

if you need mount point also part of the result

index="your index" sourcetype="your sourcetype" | eventstats max(Usage) as max_usage by Host|where Usage=max_usage

If mount point is not needed,

    index="your index" sourcetype="your sourcetype" | stats max(Usage) by Host
Happy Splunking!
0 Karma

harishalipaka
Motivator

add this end of your query -- |sort -Usage |dedup Host

Thanks
Harish

anirban_nag
Explorer

@harishalipaka your comment is most apt for the question. Please submit an answer and I will accept.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...