Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display individual event counts for each sourcetype?

bluemarvel
Path Finder
‎01-10-2017 10:05 AM

I have the following search and it works pretty well, however I need to see the event counts for each of the sourcetypes individually not as total count. 

index=windows (splunk_server=* OR splunk_server=*) OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") | chart count values(sourcetype) as index by splunk_server |  table splunk_server index count | rename splunk_server TO abc-host |  rename index TO Log-Type
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-13-2017 08:02 AM

yes, it did thank you, had to re-arrange some things

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-13-2017 08:17 AM

Glad to hear it was straightened out.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-12-2017 02:41 PM

not exactly ----the query gives me a total count of for all of the sources combined , I would like to see totals of each individually
total :135014
MSAD:NT6:DNS-Health
MSAD:NT6:DNS-Zone-Information
MSAD:NT6:Health
MSAD:NT6:Netlogon
MSAD:NT6:Replication
MSAD:NT6:SiteInfo
WinEventLog:DNS-Server
WinEventLog:Directory-Service
WindowsUpdateLog

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 03:31 PM

I think I am missing something. The query I provided should give you a table with the total count of events per index, sourcetype, and server. For example, here is my own data using my query (I MD5'ed my host field). If this was your data, what field am I missing or what is out of place, because your last response does not clarify the request for me. Sorry.

 sourcetype               abc-host      Log-Type      count
 WinEventLog:Application  f6a667...   wineventlog     140
 WinEventLog:Security    f6a667...   wineventlog     169
 WinEventLog:System    f6a667...   wineventlog      611
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 10:48 AM

@bluemarvel, did my answer give you what you needed?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...