Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count events in summary index

oshirnin
Path Finder
‎05-12-2021 06:31 AM

Hello, everybody!

Does anybody can help with such an easy problem as counting events in summary index?

I have a summary index populated with something like SS:

 

| tstats prestats=true summariesonly=false
    min(CPU.CPU_Performance.cpu_load_percent),
    avg(CPU.CPU_Performance.cpu_load_percent), 
    max(CPU.CPU_Performance.cpu_load_percent)
  from datamodel=MODEL where nodename=CPU.CPU_Performance
  by host, CPU.CPU_Performance.cpu_instance 
| sistats
    min(CPU.CPU_Performance.cpu_load_percent),     
    avg(CPU.CPU_Performance.cpu_load_percent), 
    max(CPU.CPU_Performance.cpu_load_percent)
  by host, CPU.CPU_Performance.cpu_instance 
| addinfo 
| eval _time=info_min_time, host=upper(host) 
| fields - info_sid, info_search_time, info_min_time, info_max_time
| collect index=my_summary

 

My SS is scheduled to run once an hour, so I every hour get 1 event for each orig_host in summary index.

Now I want to check, if all the required events are here in summary index. I expect to get count=24 events for each orig_host in summary index for each day. When I try the search:

 

index=my_summary | stats count by orig_host

 

I get all the psrsvd_ct_ values summarized giving me not what I expected. How should I change my search to count events in summary index?

Labels (1)
Labels
0 Karma
Reply

oshirnin
Path Finder
‎05-15-2021 05:17 AM

Hello, can anyone help with this?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2021 08:10 AM 
index=my_summary 
| bin span=1d _time
| stats count by _time orig_host
0 Karma
Reply

oshirnin
Path Finder
‎05-13-2021 01:30 AM

@ITWhisperer this doesn't work, it takes psrsvd_ct_ values and sum these. Please, check attached

splunk01.PNG

splunk02.PNG

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2021 02:02 AM

It looks like orig_host might be a multivalue field in your summary index, with your host repeated 3.5 times. (3.5 * 24 = 84). Please can you check?

0 Karma
Reply

oshirnin
Path Finder
‎05-13-2021 04:12 AM

Sure my orig_host is NOT MV

splunk03.PNG

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-15-2021 06:04 AM

How about _time

| eval b=mvcount(_time)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...