Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting Events and then finding the sum?

asarran
Path Finder
‎11-03-2016 07:57 AM

Good Morning, Fellow Splunkers

I'm interested in counting events per hour for a 24 hr period. I would also like to have a sum total count for the end of the period. So within that hour how many alerts have been generated?

Time Alert
1h.............3
2h.............3
3h.............2
4h.............2
5h.............9
.
.
.
.
24h............(19) Sum

My search Query:
index=* host=* myalert=* |timechart span=1h count by host

0 Karma
Reply

gwobben
Communicator
‎11-03-2016 08:25 AM

Give this a shot, it will give you the counts per hour and an extra row to sum up the total of the day:

| tstats count WHERE index=_internal GROUPBY _time span=1h
| appendpipe [timechart span=24h sum(count) as total]
| sort _time

If you don't want to use tstats (which can be up to 1000x times faster than a regular search) you can do this:

index=_internal 
| timechart span=1h count
| appendpipe [timechart span=24h sum(count) as total]
| sort _time
0 Karma
Reply

somesoni2
Revered Legend
‎11-03-2016 08:00 AM

Something like this

index= host= myalert=* |timechart span=1h count by host | addcoltotals
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top