Can you create this query please?

test2001 · ‎06-03-2022

Can you create a query that search for all the logs that got entered in an index for the last 24hours and group it by index? That similar to a table with the number of logs added per index in the period of time you select.

It would be much appreciated thank you so much for your help:)

somesoni2 · ‎06-03-2022

Try like this (Select appropriate timerange)

| tstats count WHERE index=* by index

test2001 · ‎06-08-2022

Perfect this helps thank you so much!

hackalope · ‎06-03-2022

This question has a lot of discussion that's similar to your problem. From that, I think the following query will do what you want.

|  tstats count values(sourcetype) WHERE index=* BY index

Don't forget about the metadata command - that's another good one to see the latest event received by sourcetype and other ingest monitoring information.

test2001 · ‎06-08-2022

Perfect I will check it out and thank you for your answer!

Can you create this query please?

stats

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

Can you create this query please?

stats

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)