topic Stats Count by day ? in Splunk Search

Stats Count by day ?

sjringo — Thu, 05 Oct 2023 21:32:34 GMT

I have a query that gives me four totals for a month. I am trying to figure out how to show each four total for each day searched ?

Here is what I have so far:

index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished"
earliest=-0month@month latest=now
| bucket _time span=day
| stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount
count(eval(searchmatch("File sent to MFS"))) as MFSCount
count(eval(searchmatch("File download sent to user"))) as DWNCount
count(eval(searchmatch("HTTP upload finished"))) as HTTPCount
| table SFTPCount MFSCount DWNCount HTTPCount

SFTPCount MFSCount DWNCount HTTPCount

30843

535

1584

Now to show the results by each day ?

I have a line to specify my bucket ?

Re: Stats Count by day ?

yuanliu — Thu, 05 Oct 2023 21:51:52 GMT

Not sure if I understand the question. You already bucketed _time. The simplest is to just use it as groupby

index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount by _time

Will this work?

Re: Stats Count by day ?

efavreau — Thu, 05 Oct 2023 21:53:53 GMT

@sjringo You're so close... you need a "BY _time" on your stats line

index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount BY _time

Re: Stats Count by day ?

sjringo — Thu, 05 Oct 2023 21:57:43 GMT

Yup, I was trying to do the BY _time after each count ((...)) AS ... by _time instead of doing it after the very last one...

I knew I was close I just was not seeing it !!!