Can you create this query please?

test2001 · ‎06-03-2022

Can you create a query that search for all the logs that got entered in an index for the last 24hours and group it by index? That similar to a table with the number of logs added per index in the period of time you select.

It would be much appreciated thank you so much for your help:)

somesoni2 · ‎06-03-2022

Try like this (Select appropriate timerange)

| tstats count WHERE index=* by index

test2001 · ‎06-08-2022

Perfect this helps thank you so much!

hackalope · ‎06-03-2022

This question has a lot of discussion that's similar to your problem. From that, I think the following query will do what you want.

|  tstats count values(sourcetype) WHERE index=* BY index

Don't forget about the metadata command - that's another good one to see the latest event received by sourcetype and other ingest monitoring information.

test2001 · ‎06-08-2022

Perfect I will check it out and thank you for your answer!

Can you create this query please?

stats

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Can you create this query please?

stats

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions