Reputation: 21
Sum of count with Splunk
First let me say that I am very very very new to splunk. I am trying to find all the "host" that make up an index and get a total count of unique values. The purpose of this is to eventually get alerts on when the total "host" changes so I can tell when something that makes up and index stops working.
Here is my query so far which gives me the host names and the count however I cannot figure out how to get the sum of "count"
index=exchangesmtp | table host | dedup host | stats count by host | addtotals fieldname=count
Upvotes: 1
Views: 3627
Answers (2)
Reputation: 2651
Maybe the following is more straightforward
earliest=-30m index=exchangesmtp | stats dc(host) as count
stats dc(field) gives you the distinct count of values in that field, in your case, the number of unique hosts
Upvotes: 1
Reputation: 21
earliest=-30m index=exchangesmtp | dedup host | table host | stats count
This is exactly what I was looking for.
Upvotes: 1
Related Questions
- Splunk : How to sum the values of the fields that are a result of if condition
- Splunk - Displaying addcoltotals into its own column
- Splunk query - Total or Count by field
- Count and sum in splunk
- Splunk: count by Id
- How to count the total number of events in a splunk search result?
- Splunk - counting numeric information in events
- How to count results in Splunk and put them in a table?
- Splunk Query Count of Count
- Total count with sub total count for msg log string literal?