topic Re: How to search total events by sourcetype using tstats with timechart to put in a summary index? in Splunk Search

How to search total events by sourcetype using tstats with timechart to put in a summary index?

mwdbhyat — Tue, 16 Aug 2016 11:01:51 GMT

Hi,

I need a top count of the total number of events by sourcetype to be written in tstats(or something as fast) with timechart put into a summary index, and then report on that SI. Using sitimechart changes the columns of my inital tstats command, so I end up having no count to report on. Any thoughts? My initial search before the sitimechart is:

| tstats count where index=main* groupby sourcetype _time

Thanks

Re: How to search total events by sourcetype using tstats with timechart to put in a summary index?

inventsekar — Tue, 16 Aug 2016 11:20:11 GMT

try this one -

 | tstats count WHERE index=* by sourcetype _time

or, main* is required, then

 | tstats count WHERE index=main* by sourcetype _time

Re: How to search total events by sourcetype using tstats with timechart to put in a summary index?

mwdbhyat — Tue, 16 Aug 2016 11:43:37 GMT

I found out the issue - I was just being an idiot and wrote my si command differently to the actual timechart. Thanks anyway!

Re: How to search total events by sourcetype using tstats with timechart to put in a summary index?

inventsekar — Tue, 16 Aug 2016 11:47:19 GMT

regarding that timechart, you can check this one..

| tstats count WHERE index=main by _time host sourcetype span=30m | timechart span=30m sum(count) by sourcetype

if the issue is resolved, can you accept this answer.