Getting Data In

How many sources are there and what are the sizes of each sources?

Communicator

I am trying to write a code where I should be able to count how many 'Sources' are there and the size/linecount of each sources.

This is what I have composed so far.

| index=rambo host=GA20htkram001  source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | stats dc(source) as distinct_sources
0 Karma
1 Solution

Ultra Champion

Try this (get's you all sources with their respective event count in your system for index=rambo):

| metadata type=sources where index=rambo

Or:

| tstats count where index=rambo by source

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@zacksoft ,

Can you please try following search?

| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw)  | stats count sum(size) as size  by source 

You can also use metadata like following search for all source and count

| metadata type=sources | table source totalCount

Communicator

And in the second suggestion, | metadata type=sources | table source totalCount
It gives me all the sources of all the indexes. How do I make sure it only gives me data of index=rambo and 'source' that are of the format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" And no duplicate sources .

0 Karma

Communicator

I'm applying the first suggestion.
In the visualization I'm trying column graph. How do I make sure that the source names come in X-axis and the Line Count shows in Y-axis?
Using the suggestion the visualization look weird.
Is it possible to get the top 20 sources with highest linecount?

0 Karma

SplunkTrust
SplunkTrust

PLease try this;

 | index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw)  | stats count sum(size) as size  by source  | sort 20 count
0 Karma

Ultra Champion

Try this (get's you all sources with their respective event count in your system for index=rambo):

| metadata type=sources where index=rambo

Or:

| tstats count where index=rambo by source

View solution in original post

0 Karma

Communicator

| metadata type=sources where index=rambo

In the above command how do I put condition so that in only searches the sources that are of format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" . Currently it gives me all the sources from index rambo.

0 Karma

Ultra Champion

Just add a | search source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" at the end.

0 Karma

Communicator

Thanks .. This is exactly what I wanted.

0 Karma