https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530637#M149907 <P>NO, Getting graph only for first index.</P> Tue, 24 Nov 2020 16:07:29 GMT shinde0509 2020-11-24T16:07:29Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530535#M149886 <P>Want to count all events from specific indexes say abc, pqr and xyz only for span of 1h using tstats<BR />and present it in timechart.</P><P>Tried this but now working&nbsp;</P><P>| tstats count WHERE earliest=-1d@-3h latest=now index=ABC,PQR,XYZ by index, _time span=1h | timechart sum(count) as count by index.</P> Tue, 24 Nov 2020 08:04:04 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530535#M149886 shinde0509 2020-11-24T08:04:04Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530554#M149888 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164225">@shinde0509</a>&nbsp;</P><LI-CODE lang="markup">| tstats count where index IN (windows,nix) by _time, span=1h , index | chart values(count) as count over _time by index</LI-CODE> Tue, 24 Nov 2020 09:50:55 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530554#M149888 thambisetty 2020-11-24T09:50:55Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530570#M149891 <P>Hi</P><P>You can try this:</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats count WHERE earliest=-1d@-3h latest=now index IN (ABC,PQR,XYZ) by index _time span=1h prestats=t | timechart span=1h count as count by index.</LI-CODE><P>&nbsp;</P><P>You must use count on both and also span must be the same.</P><P>r. Ismo&nbsp;</P> Tue, 24 Nov 2020 16:21:12 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530570#M149891 isoutamo 2020-11-24T16:21:12Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530637#M149907 <P>NO, Getting graph only for first index.</P> Tue, 24 Nov 2020 16:07:29 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530637#M149907 shinde0509 2020-11-24T16:07:29Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530639#M149908 <P>Thanks, Working.</P> Tue, 24 Nov 2020 16:08:51 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530639#M149908 shinde0509 2020-11-24T16:08:51Z https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530643#M149910 <P>Sorry, I just copied that from your example. It must be index IN (ABC, PQR,XYZ) or in the old way index = ABC OR index = PQR OR index = XYZ. Fixed into my previous reply.</P> Tue, 24 Nov 2020 16:22:02 GMT https://community.splunk.com/t5/Splunk-Search/Display-EventCount-for-specific-index/m-p/530643#M149910 isoutamo 2020-11-24T16:22:02Z