Getting count per day for a specific splunk query

manish41711 · ‎10-05-2017

I run index=hydra bu=dmg env="prod-*" ERROR everyday and record the count. I lost the statistics I had kept and would like to get them back. Is there a query that can help me do this? The query should get me the count of running the above query as if run daily (24 hr span).

DalJeanis · ‎10-05-2017

@manish41711 - yes, that query will get your the daily figures. So would the following

 index=hydra bu=dmg env="prod-*" ERROR
 | bin _time span=1d
 | stats count as dailycount by _time

manish41711 · ‎10-05-2017

Will this query help ? index=hydra bu=dmg env="prod-*" ERROR earliest=-90d@d latest=@d | timechart span=1d count

niketn · ‎10-05-2017

@manish41711, This query gets you daily aggregated count of "ERROR" events for last 90 days. Is this what you want?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Getting count per day for a specific splunk query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation

Getting count per day for a specific splunk query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...