Re: Can you create this query please?

test2001 · ‎06-03-2022

Can you create a query that search for all the logs that got entered in an index for the last 24hours and group it by index? That similar to a table with the number of logs added per index in the period of time you select.

It would be much appreciated thank you so much for your help:)

somesoni2 · ‎06-03-2022

Try like this (Select appropriate timerange)

| tstats count WHERE index=* by index

test2001 · ‎06-08-2022

Perfect this helps thank you so much!

hackalope · ‎06-03-2022

This question has a lot of discussion that's similar to your problem. From that, I think the following query will do what you want.

|  tstats count values(sourcetype) WHERE index=* BY index

Don't forget about the metadata command - that's another good one to see the latest event received by sourcetype and other ingest monitoring information.

test2001 · ‎06-08-2022

Perfect I will check it out and thank you for your answer!

Can you create this query please?

stats

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Can you create this query please?

stats

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2