Splunk Dev

add total count at the end of query

sarit_s
Communicator

Hello
i have this query :

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000

 

i want to add at the end total count of the events..
if im using append the query is running for long time.
any suggestions ?

thanks

Tags (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

You can change fields command with table;

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | table  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sarit_s
Communicator

the results that returns is "Total" not a number

0 Karma

scelikok
SplunkTrust
SplunkTrust

Sorry,  I missed the streamstats, that is why count does not exists.  I think below query will work for you.

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | stats count max(timestamp) as timestamp latest(data) as data latest(crate_path) as crate_path by uuid
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sarit_s
Communicator

the stats command is not working.. returns no results 
also, even if im fixing the stats, the "data" and "crate_path" fields are empty and the "Total Count" still returns "Total" instead of number

0 Karma

scelikok
SplunkTrust
SplunkTrust

Can you please share some sample data? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sarit_s
Communicator

 

uuid - 4c39b3b

 



 

crate_path  - [LSAPL]/messages-20200823000221	
data - 123 Disabled

 


actually, you can insert what ever you want, it should work the same, no ?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Since there is no stats command in the search I thought it is normal to show 1,2,3.... The last row will show the count of events.  Maybe you can try below query. 

 

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source, count=1  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | head 1000
    | addcoltotals labelfield="Total events" count

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sarit_s
Communicator

how can i show it in table or something ?

0 Karma

scelikok
SplunkTrust
SplunkTrust

@sarit_s , you can use streamstats command to count events.

|datamodel events_prod events summariesonly=true flat  
    | search  _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN 
    | eval crate_path=source  
    | rename kafka_uuid as uuid, _time as timestamp, _raw as data  
    | fields  uuid, timestamp , data, crate_path  
    | dedup uuid 
    | sort 0 - timestamp
    | streamstats count
    | head 1000
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sarit_s
Communicator

Hey
thanks for your reply

when using streamstats and table after, it returns results as 1,2,3 .. without any correlation to the real number of events..
when im using eventstats it returns the real number but the same number for each raw. 
is it possible to return the count at the last raw ?

0 Karma
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...