Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display individual event counts for each sourcetype?

bluemarvel
Path Finder
‎01-10-2017 10:05 AM

I have the following search and it works pretty well, however I need to see the event counts for each of the sourcetypes individually not as total count. 

index=windows (splunk_server=* OR splunk_server=*) OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") | chart count values(sourcetype) as index by splunk_server |  table splunk_server index count | rename splunk_server TO abc-host |  rename index TO Log-Type
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-13-2017 08:02 AM

yes, it did thank you, had to re-arrange some things

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-13-2017 08:17 AM

Glad to hear it was straightened out.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-12-2017 02:41 PM

not exactly ----the query gives me a total count of for all of the sources combined , I would like to see totals of each individually
total :135014
MSAD:NT6:DNS-Health
MSAD:NT6:DNS-Zone-Information
MSAD:NT6:Health
MSAD:NT6:Netlogon
MSAD:NT6:Replication
MSAD:NT6:SiteInfo
WinEventLog:DNS-Server
WinEventLog:Directory-Service
WindowsUpdateLog

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 03:31 PM

I think I am missing something. The query I provided should give you a table with the total count of events per index, sourcetype, and server. For example, here is my own data using my query (I MD5'ed my host field). If this was your data, what field am I missing or what is out of place, because your last response does not clarify the request for me. Sorry.

 sourcetype               abc-host      Log-Type      count
 WinEventLog:Application  f6a667...   wineventlog     140
 WinEventLog:Security    f6a667...   wineventlog     169
 WinEventLog:System    f6a667...   wineventlog      611
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 10:48 AM

@bluemarvel, did my answer give you what you needed?

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...