Is there a way to get a Top Hosts count and add to each hosts count using a value from a k/v pair in the event itself?
Example:
<158>Mar 26 15:01:36 m500 admd SSO: write 35 bytes on fd(11) OK repeatCount=300 source = tcp:514 sourcetype = generic_single_line
So this would come up as 300 in the count of events for that host.
I'm new to Splunk so not very familiar with the query language. I tried
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
But I don't know how to add the count from that k/v
I found a splunk board like stackoverflow and posted there. For the sake of completeness, I'll post the solution here:
Give this a try (I would strongly suggest to replace
index=*with some specific index/sourcetype/source query)
index=* | eval Date=strftime(_time,"%Y-%m-%d") | stats count sum(repeatCount) as repeatCount by host Date | eval total=count + repeatCount | chart max(total) over host by date