topic Re: Stats summary help? Only linux systems showing up in Splunk Search

Stats summary help? Only linux systems showing up

dave_rook — Thu, 09 Feb 2012 16:08:03 GMT

I'm using this query right now:
stats count by host, source, date_mday

It only lists Linux hosts but lists the data exactly as I need. We've got a bunch of Windows boxes and I'm not sure exactly why the filtering is happening. I'm guessing because of date_ mday. The reason I'm using date_ mday is because I want to break down the count of log data by host and by source so that I can make sure I'm collecting everything as expected. Should I be using something based off _time? Is there a better way to get the summary I'm looking for?

I'm guessing this is something fairly simple, but I'm pretty new to splunk.

Re: Stats summary help? Only linux systems showing up

lguinn2 — Thu, 09 Feb 2012 16:28:31 GMT

date_mday is created by Splunk, based on the time. This field exists for all events, regardless of source.

What you are showing is just the command part of a search string. Can you show the entire search string?

In the meantime, are any other queries working? When you login to Splunk, do you see any Windows data on the Summary page? Is the Windows data perhaps in a different index?

Re: Stats summary help? Only linux systems showing up

dave_rook — Mon, 28 Sep 2020 11:22:20 GMT

When I use the same search string without date_mday, the Windows sources show up as I'd expect.

The only other detail is that I'm limiting my search to a specific splunk server to limit the scope of my search:
splunk_server="SERVERNAME" | stats count by host, source, date_mday

I did set a date restriction (2012-02-01 00:00:00 to now). I'm not aware of any other input I might be excluding, as this is all I'm specifying in splunk.

Re: Stats summary help? Only linux systems showing up

lguinn2 — Mon, 28 Sep 2020 11:22:31 GMT

Weird. Well, try this:

splunk_server="SERVERNAME" |
eval date_mday = tonumber(strftime(_time,"%d")) |
stats count by host source date_mday