topic Re: How to get a count of all of the events in all datamodels with tstats in Splunk Search

How to get a count of all of the events in all datamodels with tstats?

BlueSocket — Tue, 07 Mar 2023 15:17:47 GMT

Hi, I am trying to get a list of datamodels and their counts of events for each, so as to make sure that our datamodels are working.

I have got a list of the datamodels here:

| datamodel | spath input=_raw output=datamodelname path="modelName" | table datamodelname

However, when I append the tstats command onto this, as in here, Splunk reponds with no data and "datamodel 'datamodelname' not found".

| tstats count from datamodel=datamodelname

I am guessing that the "datamodel" parameter in tstats should be a literal and not a variable field? If so, how do I execute this?

Kindest regards,

BlueSocket

Re: How to get a count of all of the events in all datamodels with tstats

BlueSocket — Fri, 26 Jan 2018 10:13:26 GMT

I can't believe that no one has got an idea about this (and there have been 55 views with 44 people following this question)!

Re: How to get a count of all of the events in all datamodels with tstats

DalJeanis — Fri, 26 Jan 2018 17:33:03 GMT

You are probably going to want to use a map command based upon the output of the initial command. I don't have one handy, but I'll check and see if I can put one together when i get a chance, if no one has solved this for you by then.

Re: How to get a count of all of the events in all datamodels with tstats

BlueSocket — Mon, 29 Jan 2018 11:12:25 GMT

Thanks - I got a bit further, but not quite there with this query:

And I get this:

datamodel            count
----------------            --------
                             1928

I get the index and the count, but not the datamodel in the table. I am looking for:

datamodel      count
----------------      --------
security             1928

I tried:

Re: How to get a count of all of the events in all datamodels with tstats

DEAD_BEEF — Sat, 15 Sep 2018 19:11:48 GMT

This is what I have thus far. You have to specify the datamodel (which is fine as I'm not using all of them) but I can't seem to find the name of the field that has the datamodel name either.

| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Web 
| append 
    [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Malware] 
| append 
    [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Intrusion_Detection ] 
| eval "Start time"=strftime(min, "%c") 
| eval "End time"=strftime(max, "%c") 
| eval "Event count" = count 
| fields "Start time" "End time" "Event count"

Re: How to get a count of all of the events in all datamodels with tstats

arizviherjavec — Thu, 25 Apr 2019 15:12:58 GMT

This is a very dumb solution, but I was looking for a quick and dirty way to see the numbers. Maybe this might spark another idea with someone else.

I amended the search and did this:

So this gave me this table:

Match the zero to the count table, and you get the number of events.

Again, I know it's a lame way to do it, but it works for my intents.

Re: How to get a count of all of the events in all datamodels with tstats

patrickp_splunk — Tue, 07 Mar 2023 09:04:56 GMT

Hi BlueSocket,

I know this is a pretty old thread, but I stumbled upon the same question today.
You almost had the solution yourself. You only missed escaped quotes.

Re: How to get a count of all of the events in all datamodels with tstats?

EbolaWare — Fri, 05 Jan 2024 16:08:34 GMT

I stumbled across this while seeking a solution this week. I came up with something pretty similar to @patrickp_splunk . With a slight change. I kicked things into json before it comes out of the map command (because `map` only allowed me to bring back one field).

| datamodelsimple \
     | map maxsearches=500 search="| tstats count FROM datamodel=$datamodel$ | eval dmName=\"$datamodel$\" 
     | tojson | fields - count,dmName" | extract | table dmName,count