topic Re: Print number of returned results with data if > 10,000 in Splunk Search

Print number of returned results with data if > 10,000

OldManEd — Mon, 27 Jan 2014 21:52:56 GMT

I have a “stats” search that returns millions of results. Splunk can only show 10,000. That’s OK but what I would like is the very first row on the search results page to show an accurate count of the number of results and then the 10,000 rows of data, in table format that I’m getting now, after that. Is this possible?
~Ed

Re: Print number of returned results with data if > 10,000

martin_mueller — Mon, 27 Jan 2014 22:01:41 GMT

You could append this to your search to get a count of events added to each row:

... | eventstats count

Re: Print number of returned results with data if > 10,000

OldManEd — Tue, 28 Jan 2014 14:15:07 GMT

Yes, this will work but not really what I'm looking for. Bedsides, I'm already using the "stats" and "count" field. The search looks like this;

index="indexname" source="logname" host="partialhostname" | eval fieldNameTotal = fieldname1."-".fieldname2 | stats count by fieldnameTotal, fieldname3 | sort fieldname3

Any other ideas?

Re: Print number of returned results with data if > 10,000

martin_mueller — Tue, 28 Jan 2014 14:27:29 GMT

If you already have a field called count you can do this instead:

... | eventstats count as total_count

Here's an entirely different idea: Leave your table as-is, and add an HTML panel above the table that prints out the number of results separately from the table.

Re: Print number of returned results with data if > 10,000

somesoni2 — Tue, 28 Jan 2014 14:49:14 GMT

One more option that your can try.

index="indexname" source="logname" host="partialhostname" | eval fieldNameTotal = fieldname1."-".fieldname2 | stats count by fieldnameTotal, fieldname3 | addcoltotals | eval fieldname3 =if(isnull(fieldname3), "#Total Rows",fieldname3 ) | sort fieldname3

Re: Print number of returned results with data if > 10,000

martin_mueller — Tue, 28 Jan 2014 14:52:03 GMT

A caveat for using sort: It doesn't really like large result sets. You will at least need to specify a count of 0 to overcome the default restriction of 10000 events.

Re: Print number of returned results with data if > 10,000

OldManEd — Tue, 28 Jan 2014 15:11:37 GMT

Martin, how would I do this?

Re: Print number of returned results with data if > 10,000

OldManEd — Tue, 28 Jan 2014 15:16:54 GMT

I tried the search above and I got my table fine, but I couldn't find the "#Total Rows" anywhere in the report.

Re: Print number of returned results with data if > 10,000

martin_mueller — Tue, 28 Jan 2014 15:20:23 GMT

For example you could add a PostProcess module as a sibling of your Table module, do a | stats count there, and display that in an HTML module.
That's assuming you're in an AdvancedXML view. I'm sure similar things can be done using the SplunkJS stack, not so sure about SimpleXML.

Re: Print number of returned results with data if > 10,000

OldManEd — Tue, 28 Jan 2014 15:47:07 GMT

OK, here's what I came up with that works for me. I used the "dedup" and "accum" functions of Splunk. The dedup got rid of duplicate events and the accum gave me a running total. To get the total number of results, I simply run a sort on the resulting "total_count" column. Thanks for everyone's help on this one.

index="indexname" source="logname" host="*partialhostname*" | eval fieldNameTotal = fieldname1."-".fieldname2 | dedup fieldNameTotal | stats count by fieldNameTotal, fieldname3 | accum count AS total_count

Re: Print number of returned results with data if > 10,000

somesoni2 — Tue, 28 Jan 2014 16:06:38 GMT

It should be the first row in the table and "#Total Rows" should appear under fieldname3 column.