Solved: How to compare multiple sourcetypes?

tonahoyos · ‎05-02-2018

Hello,

In one index I have multiple sourcetypes. I want to be able to compare the values between these sourcetypes, but I do not know where to even start.

I was trying the following search:

index="log"
| stats count events if(sourcetype="SAT") as SAT

but this search seems very complicated. I want to be able to do something like:

|stats count events by sourcetype

but again, this doesn't work. Help!

somesoni2 · ‎05-02-2018

If you're only interested in event count, you can use a rather efficient command tstats (works on metadata fields e.g. index/host/sourcetype/source etc which you seems to do)

To get a row for each sourcetype with count of events in selected time range

|tstats count WHERE index="log" by sourcetype

To get a column for each sourcetype with count of events in selected time range

|tstats count WHERE index="log" by index sourcetype   | chart sum(count) by index sourcetype limit=0

View solution in original post

somesoni2 · ‎05-02-2018

If you're only interested in event count, you can use a rather efficient command tstats (works on metadata fields e.g. index/host/sourcetype/source etc which you seems to do)

To get a row for each sourcetype with count of events in selected time range

|tstats count WHERE index="log" by sourcetype

To get a column for each sourcetype with count of events in selected time range

|tstats count WHERE index="log" by index sourcetype   | chart sum(count) by index sourcetype limit=0

tonahoyos · ‎05-02-2018

Perfect! Thank you!

How to compare multiple sourcetypes?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How to compare multiple sourcetypes?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience