https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155189#M43648 <P>All events have the _time field automatically added by Splunk. You can use that to generate your reports.</P> Tue, 09 Dec 2014 18:37:54 GMT richgalloway 2014-12-09T18:37:54Z https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155188#M43647 <P>Hello. I would like to know if there is any speicific - convenient - way to perform stats count by various date.</P> <P>Using |metadata type=hosts |fields host totalCount, I get something like this</P> <PRE><CODE>host totalCount A 5 B 27 C 48 D 95 </CODE></PRE> <P>I would like to perform stats count by name over a period of time by date</P> <P>but the problem is that the log does not come with the timestamp. </P> <P>As a result, I've been manually performing <BR /> |metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-2d@d latest -d@d<BR /> |metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-3d@d latest -2@d<BR /> |metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-4d@d latest -3@d<BR /> ... ... ... <BR /> and so on.</P> <P>Is this the only way or is there any easier way to run the query to collect all the counts for date to get something like this;</P> <PRE><CODE> host 12/04/14 12/05/14 12/06/14 ... A 5 10 ... B 27 12 ... C 48 40 ... D 95 25 ... </CODE></PRE> <P>Thanks in advance!</P> Tue, 09 Dec 2014 18:14:37 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155188#M43647 hcheang 2014-12-09T18:14:37Z https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155189#M43648 <P>All events have the _time field automatically added by Splunk. You can use that to generate your reports.</P> Tue, 09 Dec 2014 18:37:54 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155189#M43648 richgalloway 2014-12-09T18:37:54Z https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155190#M43649 <P>It's in metadata format in fact.</P> <BLOCKQUOTE> <P>|metadata type=hosts</P> </BLOCKQUOTE> <P>And no, I 've tried |metadata type=hosts|stats count by _time </P> <P>and it gives nothing.</P> Tue, 09 Dec 2014 18:52:58 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155190#M43649 hcheang 2014-12-09T18:52:58Z https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155191#M43650 <P>The metadata command doesn't contains the time field for when the report was generated. Try this workaround:- </P> <PRE><CODE>| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date </CODE></PRE> Tue, 09 Dec 2014 22:15:48 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155191#M43650 somesoni2 2014-12-09T22:15:48Z https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155192#M43651 <P>The chart it is generating is exactly what I want but the problem is that it is giving the wrong count.</P> <P>Moreover, after 2 days count (as of Today, 2014-12-10, 2014-12-11), all I'm getting is 0 for the count which isn't true.</P> <P>Any suggestion?</P> Thu, 11 Dec 2014 17:21:05 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-Count-by-Date-in-metadata-type-hosts/m-p/155192#M43651 hcheang 2014-12-11T17:21:05Z