Solved: Looking for a search to categorize by hosts..??

prakash007 · ‎05-01-2017

I am expecting a single search to categorize by hosts with individual count and total count by category...

SET-A Count _time
host=web01 25
host=web02 55
SET-A Total 80

SET-B Count _time
host=web05 15
host=web06 20
SET-B-Total 35

somesoni2 · ‎05-01-2017

You can if you have that category column available in the logs OR can be added later (eval-case or lookup etc).

e.g.

your base search giving fields host, _time
| ...some logic to get category field there...
| bucket _time span=10m  ***assuming you want to bucket time. update as required***
| stats count by _time category host
| appendpipe [| stats sum(count) as count by _time category | eval category=category."- Total"]
| stats list(host) as host list(count) as count by _time category

View solution in original post

somesoni2 · ‎05-01-2017

You can if you have that category column available in the logs OR can be added later (eval-case or lookup etc).

e.g.

your base search giving fields host, _time
| ...some logic to get category field there...
| bucket _time span=10m  ***assuming you want to bucket time. update as required***
| stats count by _time category host
| appendpipe [| stats sum(count) as count by _time category | eval category=category."- Total"]
| stats list(host) as host list(count) as count by _time category

Looking for a search to categorize by hosts..??

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?