Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count the logs quickly that with eventtypes

xsstest
Communicator
‎03-05-2018 04:35 AM

I have an eventtype, but I want to count number of eventtype from nginx access log . then show on dashboard.

eventtype web_spider :

ua="spider" OR uri="spider" OR ua="bot" OR ua="monitor"

But nginx has a lot of logs , if use index=nginx eventtype="web_spider"|stats count,search speed will be very slow. Could I use tstats command to count ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎03-05-2018 04:45 AM

yes you can use tstats command but you would need to build a datamodel for that.
Refer this for creating a data model
http://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/Buildtutorialdatamodel

After creating a datamodel you can use tstats command

| tstats count FROM datamodel=<datamodel_name> where index=nginx eventtype="web_spider"

If you have a single query that you want it to run faster then you can try report acceleration as well.

Save a search index=nginx eventtype="web_spider"|stats count as report and then refer below link to do report acceleration
http://docs.splunk.com/Documentation/Splunk/7.0.2/Report/Acceleratereports

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎03-05-2018 04:45 AM

yes you can use tstats command but you would need to build a datamodel for that.
Refer this for creating a data model
http://docs.splunk.com/Documentation/Splunk/7.0.1/PivotTutorial/Buildtutorialdatamodel

After creating a datamodel you can use tstats command

| tstats count FROM datamodel=<datamodel_name> where index=nginx eventtype="web_spider"

If you have a single query that you want it to run faster then you can try report acceleration as well.

Save a search index=nginx eventtype="web_spider"|stats count as report and then refer below link to do report acceleration
http://docs.splunk.com/Documentation/Splunk/7.0.2/Report/Acceleratereports

let me know if this helps!

Reply
Solved! Jump to solution

xsstest
Communicator
‎03-05-2018 06:15 AM

thank you very much ~I am a SPLUNK novice

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-05-2018 06:27 AM

very good answer...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...