Getting Data In

New to splunk, looking for total calculator by week

teegarden7070
Explorer

So far I think I have the syntax built out like this 

index=tool OR index=tool2 OR index=tool3
| eval parta=(index=tool information, information | stats count)
| eval partb=(index=tool2 information, information | stats count)
| eval partc=(index=tool3 information, | stats count)
| table parta partb partc

Thinking this will get me totals for the separate tools, but I'm looking to get just 1 total, per week if possible. I was thinking addtotals would help, but not sure.  Any and all help would be very appreciated. 

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@teegarden7070 

With this use case I would like to suggest to go with below approach where we fetch only those event which have specific fields as you mentioned from below search.

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)

After this just do stats by index.

| stats count by index 

at this level the index will have the count which has specific field.

You can add | addcoltotals command or remove by index from above search.

like,

 

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count by index 
| addcoltotals

 

OR

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count  

 

To get weekly count you can try this also.

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| bin _time span=w
| stats count by index _time

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

teegarden7070
Explorer

Awesome thanks for the help!  I guess the timeframe isn't such a huge deal because I can adjust the parameters of the search, the problem I'm having is the search itself.  Each one of the tools has a separate event that I want to use to find the total count of event.  All the other fields do not necessarily help with a total count.  So all in all I want to index a tool, then get a total count by event in that tool, then be able to display it. If I'm not making sense feel free to critique my thinking. 

0 Karma

teegarden7070
Explorer

For example, if I use the index= all tools, and then add a field where it doesnt count all the events, only a few

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some sample events from the different indexes showing the different events you want to count? Best to share these in code blocks </> so they are easier to use for testing solutions.

0 Karma

teegarden7070
Explorer

Sure, I can try, but I would like to stay as generic as possible:

index=tool1 OR index=tool2 OR index=too3

So I would like to index the 3 of these tools, but search for specific fields with each tool.  Lets say, 

tool1 field I want is called field 1, tool 2 is called field 2, and tool 3 is called field 3.  

I hate to be so vague, and I really do appreciate the help.  I can do a: 

|stats count by field 1,  but not sure how to get the counts and display all 3 fields. 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@teegarden7070 

With this use case I would like to suggest to go with below approach where we fetch only those event which have specific fields as you mentioned from below search.

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)

After this just do stats by index.

| stats count by index 

at this level the index will have the count which has specific field.

You can add | addcoltotals command or remove by index from above search.

like,

 

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count by index 
| addcoltotals

 

OR

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count  

 

To get weekly count you can try this also.

(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| bin _time span=w
| stats count by index _time

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

teegarden7070
Explorer

This is great! Thank you so much for all of your help!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@teegarden7070 

Are you looking for something this? 

Just execute for last 7 days OR week.

 

index=tool OR index=tool2 OR index=tool3
| stats count by index | addcoltotals

 

OR

 

index=tool OR index=tool2 OR index=tool3
| stats count  

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=tool OR index=tool2 OR index=tool3
| bin _time span=1w
| stats count by index _time
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...