Dashboards & Visualizations

eventcount not working with realtime search

ssujin
Explorer

time dependent searches with realtime time range not working in dropdown on simple XML.

<input type="dropdown" token="index" searchWhenChanged="true">
            <label>Tenants</label>
            <prefix>index="</prefix>
            <suffix>"</suffix>
            <search>
                <query>| eventcount summarize=false index=* | dedup index | search NOT (index=main OR index=summary OR index=history)</query>
            </search>
            <fieldForLabel>index</fieldForLabel>
            <fieldForValue>index</fieldForValue>
            <choice value="*">All</choice>
            <default>*</default>
            <searchWhenChanged>true</searchWhenChanged>
        </input> 

getting error dashboard as Error in 'eventcount' command: This command is not supported in a real-time search:
alt text

same error for tstats query also
| tstats prestats=t count WHERE host=$host$ index= NOT (index=main OR index=summary OR index=history) GROUPBY index | stats count by index | where count > 0*

Kindly help me on this, If not possible is there any work around or alternatives for this error.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

well, the tstats command(maybe, eventcount also) is used to perform statistical queries on indexed fields in tsidx files.
for real-time searches, the tsidx files will not be available, as the search itself is real-time.

document also says this
eventcount Description
Returns the number of events in the specified indexes.
Note: You cannot use this command over different time ranges.

we can use stats command for real-time searches

index=* | stats count BY index

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...