Hi I am a newbie here. Just wanted to ask how can I create a report of number of logs collected for all log source for a particular time frame?
Thanks a lot in advance!
You can try something like this:
| metadata type=hosts | stats count by host
index=myindex | stats count by host
OR even this
| metadata type=hosts | where totalCount>0 | table host totalCount
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
It shows a list for All time but when I try running it on a specific timeframe I get 0 events.
Thanks for your help. Actually I get the same number of totalcount if I select in the last 4, 7, 24 and 7 days.
That's probably because you dont have any events during that specific timeframe
You can try something like this:
| metadata type=hosts | stats count by host
index=myindex | stats count by host
OR even this
| metadata type=hosts | where totalCount>0 | table host totalCount
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
Hi thanks for the quick reply, how about instead of log sources I want to know which (top 10) hosts has the most number of logs for a particular time frame. Thanks!
Please upvote and accept answer - members of our community will find it useful.
Thanks!
Well, if you are only interested in the number of log sources in your splunk server then you can use the following (choose the timeframe using the time picker/dropdown):
| metadata type=sources | stats count by source
Alternatively, you can also use the following for a specific index:
index=myindex | stats count by source
If you are interested in the number of EVENTS for each of your sources, then this can help:
| metadata type=sources | where totalCount>0 | table source totalCount
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!