Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

add total count at the end of query

sarit_s
Communicator
‎12-08-2020 11:34 PM

Hello
i have this query :

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000

 

i want to add at the end total count of the events..
if im using append the query is running for long time.
any suggestions ?

thanks

Labels (1)
Labels
Tags (2)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 03:17 AM

You can change fields command with table;

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | table  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 01:36 AM

the results that returns is "Total" not a number

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-10-2020 02:04 AM

Sorry,  I missed the streamstats, that is why count does not exists.  I think below query will work for you.

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | stats count max(timestamp) as timestamp latest(data) as data latest(crate_path) as crate_path by uuid
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 03:44 AM

the stats command is not working.. returns no results 
also, even if im fixing the stats, the "data" and "crate_path" fields are empty and the "Total Count" still returns "Total" instead of number

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-10-2020 04:23 AM

Can you please share some sample data? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 04:28 AM

 

uuid - 4c39b3b

 



 

crate_path  - [LSAPL]/messages-20200823000221	
data - 123 Disabled

 


actually, you can insert what ever you want, it should work the same, no ?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 12:35 AM

Since there is no stats command in the search I thought it is normal to show 1,2,3.... The last row will show the count of events.  Maybe you can try below query. 

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-09-2020 02:18 AM

how can i show it in table or something ?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-08-2020 11:44 PM

@sarit_s , you can use streamstats command to count events.

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | streamstats count
    | head 1000
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-09-2020 12:02 AM

Hey
thanks for your reply

when using streamstats and table after, it returns results as 1,2,3 .. without any correlation to the real number of events..
when im using eventstats it returns the real number but the same number for each raw. 
is it possible to return the count at the last raw ?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...