- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get a progressive chart of hosts added ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to draw a chart of hosts added over time so that I can see at the beginning zero hosts and at the end 3,685 hosts. I would like to do this using the firstTime field from | metadata type=hosts
I have this search | metadata type=hosts | eval Date=strftime(firstTime,"%Y-%m-%d") | fields host Date but it is just a search of number of hosts added each day and not progressive over time.
I have this search index=_internal hostname="*" component="Metrics" | timechart span=d dc(hostname) from Answers, but it is using the metrics logs and takes too long over a large number of days.
I would like a count to date from the beginning for each day of my search.
Like
(day 1 count = 5)
(day 2 count = 5 + day1)
(day 3 count = 5 + day2)
and on an on.
Thanks for any help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use streamstats:
| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should do the trick.
| metadata type=hosts index=*| eval _time=firstTime | fields _time host | timechart span=1d dc(host) as Hosts | makecontinuous | eval Hosts=coalesce(Hosts,0) | accum Hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2,
Using your query is it possible to get the hosts name as well?
We want to know which hosts were added in the last 7 days , a report to be generated weekly once which gives us the list of hosts which were added in the last 7 days.
Thanks in Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This did a great job and I am still struggling to understand the code but it had a very different result than the search above. Thanks so much for your contribution it is a great learning code for me to try on something else. Thanks Again for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use streamstats:
| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a very cool chart. thanks so much @diogofgm this was more than I was hoping for. Every Splunk Admin should have this chart to show growth and assimilation. Resistance is futile 🙂
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
