Solved: How to count number of events in a search result?

echojacques · ‎10-09-2013

The objective of this search is to count the number of events in a search result. This is the current search logic that I am using (which uses the linecount command):

sourcetype="my_source" filter_result="hello_world" | stats sum(linecount) as Total

Is there an "eventcount" command that simply counts the number of events that I can use instead of "linecount"? The reason is that linecount sometimes over-counts some results (i.e. it will count 100 when there are actually only 75 events).

Thanks!

gfuente · ‎10-09-2013

Hello

Linecount is the number of lines per event

I guess you are looking for something like:

sourcetype="my_source" filter_result="hello_world" | stats count as Total

Regards

View solution in original post

bbialek · ‎12-17-2015

Here is a way to count events per minute if you search in hours:

* | timechart count(_raw) span=1h

stevenatmit · ‎06-05-2014

I finally found something that works, but it is a slow way of doing it.

gfuente · ‎10-09-2013

Hello

Linecount is the number of lines per event

I guess you are looking for something like:

sourcetype="my_source" filter_result="hello_world" | stats count as Total

Regards

echojacques · ‎10-09-2013

Yes, this is exactly what I was looking for. I just tested it and it works. Thank you!

How to count number of events in a search result?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7