Splunk: Calculate TopN hosts but add to that TopN based on a key=value pairSplunk format key value pairAdd a field to all events with a specific ID in splunkAdd Currency Symbol to Splunk QuerySet up Splunk alert based on average of a fieldExtracting data using rex in splunk adds slash to the dataCalculating the total % value In from Splunk querySPLUNK multi-value chartSplunk alert based on the search result valueSplunk - Get Prefefined Outputs Based on the event count and event dataAdd calculated threshold line on splunk timechart
Why is chess failing to attract big name sponsors?
What's the 1 inch size square knob sticking out of wall?
How can I make sure my players' decisions have consequences?
Considerations when providing money to one child now, and the other later?
Is the apartment I want to rent a scam?
Inverse Colombian Function
Why did NASA use Imperial units?
Using "Kollege" as "university friend"?
What happens if an IRB mistakenly approves unethical research?
Why do people say "I am broke" instead of "I am broken"?
Impact of throwing away fruit waste on a peak > 3200 m above a glacier
How can Kazakhstan perform MITM attacks on all HTTPS traffic?
401k investment after being fired. Do I own it?
What would be the side effects on the life of a person becoming indestructible?
ExactlyOne extension method
Area of parallelogram = Area of square. Shear transform
Sometimes you are this word with three vowels
Monty Hall Problem with a Fallible Monty
Extrapolation v. Interpolation
Is there a way to shorten this while condition?
Bug in Lualatex: not printing characters from calculation
Grid/table with lots of buttons
Is it possible to build or embed the SMILES representation of compounds in 3D?
Can GPL and BSD licensed applications be used for government work?
Splunk: Calculate TopN hosts but add to that TopN based on a key=value pair
Splunk format key value pairAdd a field to all events with a specific ID in splunkAdd Currency Symbol to Splunk QuerySet up Splunk alert based on average of a fieldExtracting data using rex in splunk adds slash to the dataCalculating the total % value In from Splunk querySPLUNK multi-value chartSplunk alert based on the search result valueSplunk - Get Prefefined Outputs Based on the event count and event dataAdd calculated threshold line on splunk timechart
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as 300 in the count of events for that host.
I'm new to Splunk so not very familiar with the query language. I tried
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
splunk splunk-query
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
add a comment |
Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as 300 in the count of events for that host.
I'm new to Splunk so not very familiar with the query language. I tried
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
splunk splunk-query
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
add a comment |
Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as 300 in the count of events for that host.
I'm new to Splunk so not very familiar with the query language. I tried
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
splunk splunk-query
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as 300 in the count of events for that host.
I'm new to Splunk so not very familiar with the query language. I tried
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
splunk splunk-query
splunk splunk-query
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
asked Mar 26 at 15:05
Notyalc SkedNotyalc Sked
11 bronze badge
11 bronze badge
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It's not very clear what you are asking, do you have a better example?
You could try| chart sum(repeatCount) over host by Date
Or| chart values(repeatCount) over host by Date
Our a combination of one of those and count, and then an additional eval to sum those. Again, the question isn't clear, but perhaps these will point you in the right direction
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
add a comment |
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360392%2fsplunk-calculate-topn-hosts-but-add-to-that-topn-based-on-a-key-value-pair%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's not very clear what you are asking, do you have a better example?
You could try| chart sum(repeatCount) over host by Date
Or| chart values(repeatCount) over host by Date
Our a combination of one of those and count, and then an additional eval to sum those. Again, the question isn't clear, but perhaps these will point you in the right direction
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
add a comment |
It's not very clear what you are asking, do you have a better example?
You could try| chart sum(repeatCount) over host by Date
Or| chart values(repeatCount) over host by Date
Our a combination of one of those and count, and then an additional eval to sum those. Again, the question isn't clear, but perhaps these will point you in the right direction
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
add a comment |
It's not very clear what you are asking, do you have a better example?
You could try| chart sum(repeatCount) over host by Date
Or| chart values(repeatCount) over host by Date
Our a combination of one of those and count, and then an additional eval to sum those. Again, the question isn't clear, but perhaps these will point you in the right direction
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
It's not very clear what you are asking, do you have a better example?
You could try| chart sum(repeatCount) over host by Date
Or| chart values(repeatCount) over host by Date
Our a combination of one of those and count, and then an additional eval to sum those. Again, the question isn't clear, but perhaps these will point you in the right direction
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
answered Mar 26 at 21:27
Simon DuffSimon Duff
4061 silver badge7 bronze badges
4061 silver badge7 bronze badges
add a comment |
add a comment |
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
add a comment |
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
add a comment |
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
answered Mar 27 at 0:27
Notyalc SkedNotyalc Sked
11 bronze badge
11 bronze badge
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360392%2fsplunk-calculate-topn-hosts-but-add-to-that-topn-based-on-a-key-value-pair%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
