topic Re: Need to get stats count by day in Splunk Search

Need to get stats count by day

shellnight — Sun, 31 May 2015 13:10:04 GMT

I need a daily count of events of a particular type per day for an entire month

June1 - 20 events
June2 - 55 events
and so on till June 30

available fields is websitename , just need occurrences for that website for a month

n00badmin — Sun, 31 May 2015 14:01:16 GMT

index=%yourIndexHere% websiteName=* | timechart span=1d count by websiteName limit=0

This should work..brings back all events with "websiteName" present, then counts them per day with no limit on how any sites it will count for.

Be sure to add any further criteria to identify your events before the pipe to timechart. ( ie "LOGIN FAIL")

you could also use the bin command with stats command, but timechart does both anyhow and this gets you the visualization.

*I threw in the limit=0 in case you have a large amount of websiteNames. The default limit is 10 everything outside 10 would go to "OTHER".

jvarmazis_splun — Sun, 31 May 2015 22:11:29 GMT

To obtain the number of daily events that matches your search criteria for the month of June 2015 per websitename, try this:

your search criteria websitename=* earliest=”6/1/2015:00:00:00” latest=”6/30/2015:23:59:59” | timechart span=1d count by websitename limit=0

By using limit=0 you will return all values (default is limit=10)

n00badmin — Sun, 31 May 2015 23:02:38 GMT

yep this would work too..my suggestion would rely in the time picker to set the time period for the search

yannK — Mon, 01 Jun 2015 05:56:54 GMT

if you want stats. not timechart. Bucket the results per day. then count per _time.

mysearch |bucket _time span=day |stats count by _time

bcronrath — Mon, 10 Oct 2016 20:35:50 GMT

perfect just what I was looking for thank you!