Splunk Search

Count events in summary index

oshirnin
Path Finder

Hello, everybody!

Does anybody can help with such an easy problem as counting events in summary index?

I have a summary index populated with something like SS:

 

| tstats prestats=true summariesonly=false
    min(CPU.CPU_Performance.cpu_load_percent),
    avg(CPU.CPU_Performance.cpu_load_percent), 
    max(CPU.CPU_Performance.cpu_load_percent)
  from datamodel=MODEL where nodename=CPU.CPU_Performance
  by host, CPU.CPU_Performance.cpu_instance 
| sistats
    min(CPU.CPU_Performance.cpu_load_percent),     
    avg(CPU.CPU_Performance.cpu_load_percent), 
    max(CPU.CPU_Performance.cpu_load_percent)
  by host, CPU.CPU_Performance.cpu_instance 
| addinfo 
| eval _time=info_min_time, host=upper(host) 
| fields - info_sid, info_search_time, info_min_time, info_max_time
| collect index=my_summary

 

My SS is scheduled to run once an hour, so I every hour get 1 event for each orig_host in summary index.

Now I want to check, if all the required events are here in summary index. I expect to get count=24 events for each orig_host in summary index for each day. When I try the search:

 

index=my_summary | stats count by orig_host

 

I get all the psrsvd_ct_ values summarized giving me not what I expected. How should I change my search to count events in summary index?

Labels (1)
0 Karma

oshirnin
Path Finder

Hello, can anyone help with this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=my_summary 
| bin span=1d _time
| stats count by _time orig_host
0 Karma

oshirnin
Path Finder

@ITWhisperer this doesn't work, it takes psrsvd_ct_ values and sum these. Please, check attached

splunk01.PNG

splunk02.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It looks like orig_host might be a multivalue field in your summary index, with your host repeated 3.5 times. (3.5 * 24 = 84). Please can you check?

0 Karma

oshirnin
Path Finder

Sure my orig_host is NOT MV

splunk03.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How about _time

| eval b=mvcount(_time)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...