Can you create this query please?

test2001 · ‎06-03-2022

Can you create a query that search for all the logs that got entered in an index for the last 24hours and group it by index? That similar to a table with the number of logs added per index in the period of time you select.

It would be much appreciated thank you so much for your help:)

somesoni2 · ‎06-03-2022

Try like this (Select appropriate timerange)

| tstats count WHERE index=* by index

test2001 · ‎06-08-2022

Perfect this helps thank you so much!

hackalope · ‎06-03-2022

This question has a lot of discussion that's similar to your problem. From that, I think the following query will do what you want.

|  tstats count values(sourcetype) WHERE index=* BY index

Don't forget about the metadata command - that's another good one to see the latest event received by sourcetype and other ingest monitoring information.

test2001 · ‎06-08-2022

Perfect I will check it out and thank you for your answer!

Can you create this query please?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Can you create this query please?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform