Counting Events and then finding the sum?

asarran · ‎11-03-2016

Good Morning, Fellow Splunkers

I'm interested in counting events per hour for a 24 hr period. I would also like to have a sum total count for the end of the period. So within that hour how many alerts have been generated?

Time Alert
1h.............3
2h.............3
3h.............2
4h.............2
5h.............9
.
.
.
.
24h............(19) Sum

My search Query:
index=* host=* myalert=* |timechart span=1h count by host

gwobben · ‎11-03-2016

Give this a shot, it will give you the counts per hour and an extra row to sum up the total of the day:

| tstats count WHERE index=_internal GROUPBY _time span=1h
| appendpipe [timechart span=24h sum(count) as total]
| sort _time

If you don't want to use tstats (which can be up to 1000x times faster than a regular search) you can do this:

index=_internal 
| timechart span=1h count
| appendpipe [timechart span=24h sum(count) as total]
| sort _time

somesoni2 · ‎11-03-2016

Something like this

index= host= myalert=* |timechart span=1h count by host | addcoltotals

Counting Events and then finding the sum?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

Counting Events and then finding the sum?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...