Solved: How to totalise events from different and similar ...

leantricity · ‎07-11-2018

sorry about this but I'm new to Splunk:

I have a folder where log files coming from several computers are stored. All of them have event data that I have to process. Each log file has the name of the host computer in its file name, and also has some event within, with that computer name like "Desktop_A". What I'm trying to summarise is the total of a given event like "Notepad.exe is open" from a log that writes the message once per minute (if the application I'm searching for is really open) in each of these log files doing a summary by the hour. If I find "Notepad.exe is open" 60 times in an hour I calculate 100% usage for that hour, etc.

My main problem is that I can do it with one log file, but gets more complicated than that because the directory receives new log files each day from hundreds of computers.

My goal is to represent application usage per hour (as percentage of time) for each one of the computers that I have log files for (and remember, the directory can have multiple log files for the same computer).

The places where I can get the computer name are the log file itself (the name has a string identifying the PC) or an event in some of the rows of the log itself.

The things I've managed to do is to monitor the directory, extract the field I look for and do some aggregation but for a single computer with a single log file in tests.

I need some general help about how to tackle de problem.

Thanks a lot and sorry. I've searched the forum but I find lots of technical SPL questions but I need something more basic...

renjith_nair · ‎07-11-2018

Hi @leantricity,

Try this

Let's assume you have field for machine as host and also for application_name

"your base search " |"your field extractions"|bin span=1h _time|stats count by host,application_name,_time
|eval perc=(count/60)*100

bin span=1h _time splits your time into 1 hr intervals
stats count ... aggregates the count based on host,application_name and _time
eval per1c=(count/60)*100 calculates % based on 1 hour

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Stats

Happy Splunking!

View solution in original post

renjith_nair · ‎07-11-2018

Hi @leantricity,

Try this

Let's assume you have field for machine as host and also for application_name

"your base search " |"your field extractions"|bin span=1h _time|stats count by host,application_name,_time
|eval perc=(count/60)*100

bin span=1h _time splits your time into 1 hr intervals
stats count ... aggregates the count based on host,application_name and _time
eval per1c=(count/60)*100 calculates % based on 1 hour

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Stats

Happy Splunking!

leantricity · ‎07-11-2018

Hi @renjith.nair

I understand the idea and will try it ASAP. Is there any way of assigning the host value to each log file based on the name of the file? The PC name is within the log in a scattered row, maybe I can get it and dedup or do something to grab that PC name from the events log file?

Thanks a lot!

leantricity · ‎07-11-2018

Forget about the hosts question, I think I can use the autogenerated source field. Do you think so?

renjith_nair · ‎07-11-2018

source and host are different. Host is the server from where the data coming and source is for eg. a log file. However, if you have the machines in auto generated field, you could still use it

Happy Splunking!

leantricity · ‎07-11-2018

Each log file has the name of the corresponding generating computer, as "ComputerA.log" so I think I can use the source field to identify each one. By the way, the SPL works perfect! Thanks a lot!

renjith_nair · ‎07-13-2018

Gald to know ! And you don't need to give your precious points away instead, you can ^ upvote the answer or comments 🙂 .

Happy Splunking!

How to totalise events from different and similar log files?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes