Solved: How to return the daily event count of every index...

gazoscreek · ‎04-07-2022

Does anyone have a solution for a query that will return the daily event count of every index, index by index, even the ones that have ingested zero events?

| tstats count WHERE index=* OR index=_* by index ... only returns indexes that have > 0 events.

VatsalJagani · ‎04-07-2022

Run this search:

| tstats count WHERE index=* OR index=_* by index
| append [| rest /servicesNS/-/-/data/indexes count=0 | fields title | dedup title | rename title as index | eval count=0]
| stats sum(count) as count by index

I hope this helps!! Accept the answer if it does!!

View solution in original post

VatsalJagani · ‎04-07-2022

Run this search:

| tstats count WHERE index=* OR index=_* by index
| append [| rest /servicesNS/-/-/data/indexes count=0 | fields title | dedup title | rename title as index | eval count=0]
| stats sum(count) as count by index

I hope this helps!! Accept the answer if it does!!

gazoscreek · ‎04-07-2022

Perfect solution. Thank you so much!

How to return the daily event count of every index?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to return the daily event count of every index?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR