https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551700#M156558 <P>How about _time</P><LI-CODE lang="markup">| eval b=mvcount(_time)</LI-CODE> Sat, 15 May 2021 13:04:17 GMT ITWhisperer 2021-05-15T13:04:17Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551354#M156462 <P><SPAN>Hello, everybody!</SPAN></P><P>Does anybody can help with such an easy problem as counting events in&nbsp;summary index?</P><P>I have a summary index populated with something like SS:</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats prestats=true summariesonly=false min(CPU.CPU_Performance.cpu_load_percent), avg(CPU.CPU_Performance.cpu_load_percent), max(CPU.CPU_Performance.cpu_load_percent) from datamodel=MODEL where nodename=CPU.CPU_Performance by host, CPU.CPU_Performance.cpu_instance | sistats min(CPU.CPU_Performance.cpu_load_percent), avg(CPU.CPU_Performance.cpu_load_percent), max(CPU.CPU_Performance.cpu_load_percent) by host, CPU.CPU_Performance.cpu_instance | addinfo | eval _time=info_min_time, host=upper(host) | fields - info_sid, info_search_time, info_min_time, info_max_time | collect index=my_summary</LI-CODE><P>&nbsp;</P><P>My SS is scheduled to run once an hour, so I every hour get 1 event for each orig_host in&nbsp;summary index.</P><P>Now I want to check, if all the required events are here in&nbsp;summary index. I expect to get count=24 events for each orig_host in&nbsp;summary index for each day. When I try the search:</P><P>&nbsp;</P><LI-CODE lang="markup">index=my_summary | stats count by orig_host</LI-CODE><P>&nbsp;</P><P>I get all the&nbsp;<SPAN class="t">psrsvd</SPAN><SPAN>_</SPAN><SPAN class="t">ct_ values summarized giving me not what I expected. How should I change my search to count&nbsp;events in&nbsp;summary index?</SPAN></P> Wed, 12 May 2021 13:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551354#M156462 oshirnin 2021-05-12T13:31:30Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551367#M156465 <LI-CODE lang="markup">index=my_summary | bin span=1d _time | stats count by _time orig_host</LI-CODE> Wed, 12 May 2021 15:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551367#M156465 ITWhisperer 2021-05-12T15:10:58Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551430#M156488 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;this doesn't work, it takes&nbsp;<STRONG><SPAN class="t">psrsvd</SPAN>_</STRONG><SPAN class="t"><STRONG>ct_</STRONG> values and sum these. Please, check attached</SPAN></P><P><SPAN class="t"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk01.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14128i9617719C042AFFFB/image-size/large?v=v2&amp;px=999" role="button" title="splunk01.PNG" alt="splunk01.PNG" /></span></SPAN></P><P><SPAN class="t"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk02.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14129i8E560FC71803CBF2/image-size/large?v=v2&amp;px=999" role="button" title="splunk02.PNG" alt="splunk02.PNG" /></span></SPAN></P> Thu, 13 May 2021 08:30:35 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551430#M156488 oshirnin 2021-05-13T08:30:35Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551432#M156489 <P>It looks like orig_host might be a multivalue field in your summary index, with your host repeated 3.5 times. (3.5 * 24 = 84). Please can you check?</P> Thu, 13 May 2021 09:02:13 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551432#M156489 ITWhisperer 2021-05-13T09:02:13Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551443#M156490 <P>Sure my&nbsp;<SPAN>orig_host is NOT MV</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk03.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14130iD26617160F38EDB4/image-size/large?v=v2&amp;px=999" role="button" title="splunk03.PNG" alt="splunk03.PNG" /></span></P> Thu, 13 May 2021 11:12:31 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551443#M156490 oshirnin 2021-05-13T11:12:31Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551697#M156556 <P>Hello,&nbsp;<SPAN>can anyone help with this?</SPAN></P> Sat, 15 May 2021 12:17:14 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551697#M156556 oshirnin 2021-05-15T12:17:14Z https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551700#M156558 <P>How about _time</P><LI-CODE lang="markup">| eval b=mvcount(_time)</LI-CODE> Sat, 15 May 2021 13:04:17 GMT https://community.splunk.com/t5/Splunk-Search/Count-events-in-summary-index/m-p/551700#M156558 ITWhisperer 2021-05-15T13:04:17Z