https://community.splunk.com/t5/Splunk-Search/Reporting-the-number-of-events-in-an-index/m-p/44791#M10580 <P>Bhiley,</P> <P>Yes, there are limits in splunk, which you may be hitting up against. See, in your search you are telling Splunk to RETURN all of this data and not just count it.<BR /> Splunk has many analytic features, such as "stats" that have arguments like count.</P> <P>You probably want to do something like this:<BR /> <EM>search = index=tal | stats count</EM></P> <P>If you want to be sure to just run this for the previous day you can use the timepicker in the search or do this:<BR /> <EM>search = index=tal earliest=-24h@h latest=@d-1s | stats count</EM></P> <P>If you had multiple indexes you can do ... | stats count by index</P> <P>Find more about stats here: <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/stats">http://www.splunk.com/base/Documentation/latest/SearchReference/stats</A></P> <P>Best,<BR /> Sean</P> Tue, 19 Jul 2011 09:10:37 GMT sdwilkerson 2011-07-19T09:10:37Z https://community.splunk.com/t5/Splunk-Search/Reporting-the-number-of-events-in-an-index/m-p/44790#M10579 <P>I want to report the number of events in a given index using a scheduled overnight report and send the PDF output to myself.<BR /> So in 'Manager&gt;Searches and reports' I define a search :-</P> <P>Search = 'index=tal' # name of index<BR /> No time range<BR /> Tick 'Schedule this search'<BR /> Type = Basic<BR /> Run every day at 6pm<BR /> and enter email details for myself including the PDF report option</P> <P>The report doesn't return the expected number of events (&gt; 150M) but instead gives a small total (around 220,000) - it seems to be limited by some threshold value that I don't understand.<BR /> How do I get the report run for as long as required to tranverse the whole index and send me a report ? (leaving aside for the moment whether it's sensible to do this).</P> <P>Can supply any further info as required.</P> Tue, 19 Jul 2011 03:32:05 GMT https://community.splunk.com/t5/Splunk-Search/Reporting-the-number-of-events-in-an-index/m-p/44790#M10579 bhiley 2011-07-19T03:32:05Z https://community.splunk.com/t5/Splunk-Search/Reporting-the-number-of-events-in-an-index/m-p/44791#M10580 <P>Bhiley,</P> <P>Yes, there are limits in splunk, which you may be hitting up against. See, in your search you are telling Splunk to RETURN all of this data and not just count it.<BR /> Splunk has many analytic features, such as "stats" that have arguments like count.</P> <P>You probably want to do something like this:<BR /> <EM>search = index=tal | stats count</EM></P> <P>If you want to be sure to just run this for the previous day you can use the timepicker in the search or do this:<BR /> <EM>search = index=tal earliest=-24h@h latest=@d-1s | stats count</EM></P> <P>If you had multiple indexes you can do ... | stats count by index</P> <P>Find more about stats here: <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/stats">http://www.splunk.com/base/Documentation/latest/SearchReference/stats</A></P> <P>Best,<BR /> Sean</P> Tue, 19 Jul 2011 09:10:37 GMT https://community.splunk.com/t5/Splunk-Search/Reporting-the-number-of-events-in-an-index/m-p/44791#M10580 sdwilkerson 2011-07-19T09:10:37Z