Query for eventcount


I have a lookup file with indexes in it, I want a query i need the eventcount of the indexes mentioned in the lookup table for 24 hrs

Tags (1)
0 Karma


This should get you going in the right direction.

| tstats count where [|inputlookup indexes.csv | fields index | format] by index
If this reply helps you, an upvote would be appreciated.
0 Karma

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!