Solved: Re: help on stats(dc) command

jip31 · ‎04-17-2019

hello

I use the search below in order to display cpu using is > to 80% by host and by process-name
So a same host can have many process where cpu using is > to 80%

index="x" sourcetype="y" process_name=* 
| where process_cpu_used_percent>80 
| table host process_name process_cpu_used_percent

Now I need to count the number of host which have a process_name using more than 80% of CPU
If the same host has many process > to 80% I want to count only one host
I dont succeed to do this
could you help me please??

pkeenan87 · ‎04-17-2019

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

View solution in original post

Vijeta · ‎04-17-2019

@jip31 - Can you please share sample data and expected sample output .

pkeenan87 · ‎04-17-2019

The distinct count function of stat should help with this:

 index="x" sourcetype="y" process_cpu_used_percent>80
| stats dc(host) as unique_hosts

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

jip31 · ‎04-17-2019

it doesnt works
I have always different events for a same host when an host has many process_name >80%
index=x" sourcetype="perfmonmk:process" process_name=* process_cpu_used_percent>80
| stats dc(host)

I just want to count 1 event when an host has one or many process_name >80%
could you help me please?

Vijeta · ‎04-17-2019

@jip31 Not exactly sure what you looking for but can you try below. Also what is the final output you need host field and count or more fields ?

  index="x" sourcetype="y" process_cpu_used_percent>80|stats count by host

help on stats(dc) command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases