topic Re: Splunk Count for last 30 days in Splunk Search

Splunk Count for last 30 days

sachin9911 — Sun, 01 Aug 2021 08:34:57 GMT

Hi,

I have written a script which runs for every after 1 hr, here the 24 hr window is from 07am to next day 06:00am

My requirement is to provide a monthly count of the report but should only consider the last log file 06:00 am which contains all the updated information for the day

Re: Splunk Count for last 30 days

ITWhisperer — Sun, 01 Aug 2021 09:38:49 GMT

It is not clear what data you are dealing with. Is it that you just want the last event in the log for each A B C combination?

| stats last(jobs) as jobs by source A B C

Re: Splunk Count for last 30 days

sachin9911 — Mon, 02 Aug 2021 09:30:48 GMT

I am looking for the total number of record for the last log file created.

Example:

07:00 am - log_20210801.csv --count = 14000

08:00 am - log_20210801.csv -- count = 14500 (file will overwrite)

and so on.. until next day

06:00am -log_20210801.csv -- count = 17000 (file will overwrite and contain the final update events for

the day)

07:00am -log_20210802.csv -- count 16000 until

06:00am -log_20210802.csv -- count 20000 (file will overwrite)

here number of records in last log files are 17000 and 20000 need this value only and using the logic will perform search for last 30 days to create a bar diagram to visually display the trend

Re: Splunk Count for last 30 days

ITWhisperer — Mon, 02 Aug 2021 12:40:20 GMT

If you did this

index=XX host=XX source="abc_20210801.csv" | stats count

Would you get 14000 at 7am (or just after at least) and 14500 at 8am, or 14000 at 7am and 28500 at 8am?

Assuming you want more than one source to be considered, what do you get if you do this

index=XX host=XX source="abc_*.csv" | stats count by source

Re: Splunk Count for last 30 days

sachin9911 — Thu, 05 Aug 2021 07:20:29 GMT

the query displays the total count for all the runs

example:

1Aug - 07am (count = 14000), 08 am (count=15000), ... Next day 06:00 am(18000)

2 Aug - 07am (count = 11000), 08 am (count=12500), ... Next day 06:00 am(19500)

... so on until

30th Aug - 07am (count = 2000), 08 am (count=10000), ... Next day 06:00 am(12500)

My requirement is to only get the last count of the day i.e

1 Aug (18000) , 2 Aug (19500) ... 30th Aug (12500)

Re: Splunk Count for last 30 days

ITWhisperer — Thu, 05 Aug 2021 07:42:31 GMT

What is the search you are using to get these results?

Re: Splunk Count for last 30 days

sachin9911 — Fri, 06 Aug 2021 04:11:01 GMT

Re: Splunk Count for last 30 days

ITWhisperer — Fri, 06 Aug 2021 07:09:17 GMT

I don't understand how this search gives you the results you have - can you share some raw events from you csv files?