eventcount not working with realtime search

ssujin · ‎10-25-2016

time dependent searches with realtime time range not working in dropdown on simple XML.

<input type="dropdown" token="index" searchWhenChanged="true">
            <label>Tenants</label>
            <prefix>index="</prefix>
            <suffix>"</suffix>
            <search>
                <query>| eventcount summarize=false index=* | dedup index | search NOT (index=main OR index=summary OR index=history)</query>
            </search>
            <fieldForLabel>index</fieldForLabel>
            <fieldForValue>index</fieldForValue>
            <choice value="*">All</choice>
            <default>*</default>
            <searchWhenChanged>true</searchWhenChanged>
        </input>

getting error dashboard as Error in 'eventcount' command: This command is not supported in a real-time search:

same error for tstats query also
| tstats prestats=t count WHERE host=$host$ index= NOT (index=main OR index=summary OR index=history) GROUPBY index | stats count by index | where count > 0*

Kindly help me on this, If not possible is there any work around or alternatives for this error.

inventsekar · ‎10-25-2016

well, the tstats command(maybe, eventcount also) is used to perform statistical queries on indexed fields in tsidx files.
for real-time searches, the tsidx files will not be available, as the search itself is real-time.

document also says this
eventcount Description
Returns the number of events in the specified indexes.
Note: You cannot use this command over different time ranges.

we can use stats command for real-time searches

index=* | stats count BY index

eventcount not working with realtime search

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM