Splunk Search

Sum field in multiple hosts

nirt
Path Finder

Hi,
I want to sum an event that arrives from each host(total 3) and then graph it. I could not find the option on how to do it

Thanks in advance for your assistance

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

View solution in original post

0 Karma

lguinn2
Legend

If you want to sum a field in the events, we will need more information. However, if you simply want to count the events by host, that's easy. In the examples, I assume that your host names are "abc" "def" and "ghi"...

host=abc OR host=def OR host=ghi
| chart count by host

or, if you want a time chart

host=abc OR host=def OR host=ghi
| timechart count by host

If this doesn't help you, then please post some sample data and give more information.

0 Karma

nirt
Path Finder

I have changed the timechart to the following and it seems to give me the result I want:
timechart span=10m per_minute(UsersCount)

Thanks

0 Karma

nirt
Path Finder

Thanks for the quick reply, the timechart gives me each host in it's own line - how can i sum it into one line?
I used this:
index="short_stats" host="XX_users" OR host="YY_users" OR host="XY_users" earliest=-0d@d latest=+1d@d | timechart span=30m max(UsersCount) by host

0 Karma
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...