Solved: Sourcetype count per host

warmup031 · ‎04-01-2020

Hello,

I would like to Check for each host, its sourcetype and count by Sourcetype.
I tried host=* | stats count by host, sourcetype

But in fact I need all the sourcetypes to be set as column, and get the count by host for each sourcetype. Can you help ?

Many thanks

gcusello · ‎04-01-2020

Hi @warmup031,
did you tried?

index=your_index 
| stats count by sourcetype host

host=* isn't needed because all the events has the field host and use always the index in main search.

Ciao.
Giuseppe

View solution in original post

warmup031 · ‎04-01-2020

Hello gcusello and adonio, I already tried thèse search but my main problem is to set each sourcetype as a column, hosts as row and get sourcetype count valid for each host
Thank you

gcusello · ‎04-01-2020

Hi @warmup031,
did you tried?

index=your_index 
| stats count by sourcetype host

host=* isn't needed because all the events has the field host and use always the index in main search.

Ciao.
Giuseppe

gcusello · ‎04-01-2020

Hi @warmup031,
please, try this

index=wineventlog
| chart count OVER host BY sourcetype

Ciao.
Giuseppe

warmup031 · ‎04-01-2020

Wonderful, thank you very much Giuseppe

gcusello · ‎04-01-2020

You're welcome!
Ciao and Next time.
Giuseppe

adonio · ‎04-01-2020

try this:

| tstats count as event_count where index=* by host sourcetype

Sourcetype count per host

tstats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life