https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265213#M79733 <P>Try this</P> <PRE><CODE>| tstats count WHERE index=YourIndexHere by _time host sourcetype span=30m | eval metric=host.":".sourcetype | timechart span=30m sum(count) by metric </CODE></PRE> Wed, 30 Mar 2016 17:14:03 GMT somesoni2 2016-03-30T17:14:03Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265209#M79729 <P>I have found a lot of ways to do one or the other of these, but short summary of what we have with theoretical numbers</P> <P>10 hosts<BR /> 10 logs per host going to one index</P> <P>I would like to use the index as a starting point since I am specifically looking for event count that goes to that index. (Java Logs)</P> <P>How would I graph the following please?</P> <P>over 7 day period, what is the event count per log per host - 30 min buckets - end result would be something like...</P> <P>host1 - log1 - 8:00-8:30 50 events<BR /> host1 - log2 - 8:00-8:30 50 events<BR /> host1 - log3 - 8:00-8:30 50 events<BR /> host1 - log4 - 8:00-8:30 50 events<BR /> host1 - log5 - 8:00-8:30 50 events<BR /> host2 - log1 - 8:00-8:30 50 events<BR /> host2 - log2 - 8:00-8:30 50 events<BR /> host2 - log3 - 8:00-8:30 50 events<BR /> host2 - log4 - 8:00-8:30 50 events<BR /> host2 - log5 - 8:00-8:30 50 events</P> <P>etc...</P> <P>Thanks<BR /> John</P> Wed, 30 Mar 2016 15:52:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265209#M79729 dolejh76 2016-03-30T15:52:30Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265210#M79730 <P>Give this a try</P> <PRE><CODE>| tstats count WHERE index=YourIndexHere by _time host sourcetype span=30m </CODE></PRE> Wed, 30 Mar 2016 15:56:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265210#M79730 somesoni2 2016-03-30T15:56:55Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265211#M79731 <P>Love it so far - thanks!</P> Wed, 30 Mar 2016 16:30:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265211#M79731 dolejh76 2016-03-30T16:30:40Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265212#M79732 <P>Spoke a little too soon... the table is exactly what I need.</P> <P>The graph is just total count and is not separating by host / sourcetype. Is this something I need to configure on the graph or something that should be configured on the query? Worse case I can export to excel and graph on a pivot chart but would be nice to have it on a dashboard.</P> <P>Thanks</P> <P>JD</P> Wed, 30 Mar 2016 17:05:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265212#M79732 dolejh76 2016-03-30T17:05:44Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265213#M79733 <P>Try this</P> <PRE><CODE>| tstats count WHERE index=YourIndexHere by _time host sourcetype span=30m | eval metric=host.":".sourcetype | timechart span=30m sum(count) by metric </CODE></PRE> Wed, 30 Mar 2016 17:14:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265213#M79733 somesoni2 2016-03-30T17:14:03Z https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265214#M79734 <P>Love it - thank you very much for your quit response - really appreciate it!</P> Wed, 30 Mar 2016 17:16:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-graph-the-event-count-by-sourcetype-on-a-specific-index/m-p/265214#M79734 dolejh76 2016-03-30T17:16:45Z