Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display individual event counts for each sourcetype?

bluemarvel
Path Finder
‎01-10-2017 10:05 AM

I have the following search and it works pretty well, however I need to see the event counts for each of the sourcetypes individually not as total count. 

index=windows (splunk_server=* OR splunk_server=*) OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") | chart count values(sourcetype) as index by splunk_server |  table splunk_server index count | rename splunk_server TO abc-host |  rename index TO Log-Type
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎01-10-2017 10:15 AM

If I understood the original intention of you search filter, using tstats will be faster.

| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server 
| table sourcetype splunk_server index count 
| rename splunk_server TO abc-host 
| rename index TO Log-Type
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-13-2017 08:02 AM

yes, it did thank you, had to re-arrange some things

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-13-2017 08:17 AM

Glad to hear it was straightened out.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎01-12-2017 02:41 PM

not exactly ----the query gives me a total count of for all of the sources combined , I would like to see totals of each individually
total :135014
MSAD:NT6:DNS-Health
MSAD:NT6:DNS-Zone-Information
MSAD:NT6:Health
MSAD:NT6:Netlogon
MSAD:NT6:Replication
MSAD:NT6:SiteInfo
WinEventLog:DNS-Server
WinEventLog:Directory-Service
WindowsUpdateLog

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 03:31 PM

I think I am missing something. The query I provided should give you a table with the total count of events per index, sourcetype, and server. For example, here is my own data using my query (I MD5'ed my host field). If this was your data, what field am I missing or what is out of place, because your last response does not clarify the request for me. Sorry.

 sourcetype               abc-host      Log-Type      count
 WinEventLog:Application  f6a667...   wineventlog     140
 WinEventLog:Security    f6a667...   wineventlog     169
 WinEventLog:System    f6a667...   wineventlog      611
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-12-2017 10:48 AM

@bluemarvel, did my answer give you what you needed?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...