Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

add total count at the end of query

sarit_s
Communicator
‎12-08-2020 11:34 PM

Hello
i have this query :

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000

 

i want to add at the end total count of the events..
if im using append the query is running for long time.
any suggestions ?

thanks

Labels (1)
Labels
Tags (2)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 03:17 AM

You can change fields command with table;

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | table  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 01:36 AM

the results that returns is "Total" not a number

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-10-2020 02:04 AM

Sorry,  I missed the streamstats, that is why count does not exists.  I think below query will work for you.

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | stats count max(timestamp) as timestamp latest(data) as data latest(crate_path) as crate_path by uuid
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 03:44 AM

the stats command is not working.. returns no results 
also, even if im fixing the stats, the "data" and "crate_path" fields are empty and the "Total Count" still returns "Total" instead of number

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-10-2020 04:23 AM

Can you please share some sample data? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-10-2020 04:28 AM

 

uuid - 4c39b3b

 



 

crate_path  - [LSAPL]/messages-20200823000221	
data - 123 Disabled

 


actually, you can insert what ever you want, it should work the same, no ?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 12:35 AM

Since there is no stats command in the search I thought it is normal to show 1,2,3.... The last row will show the count of events.  Maybe you can try below query. 

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-09-2020 02:18 AM

how can i show it in table or something ?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-08-2020 11:44 PM

@sarit_s , you can use streamstats command to count events.

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | streamstats count
    | head 1000
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sarit_s
Communicator
‎12-09-2020 12:02 AM

Hey
thanks for your reply

when using streamstats and table after, it returns results as 1,2,3 .. without any correlation to the real number of events..
when im using eventstats it returns the real number but the same number for each raw. 
is it possible to return the count at the last raw ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...