Afternoon Splunk Gurus
I wonder if you would be as kind to help \ point me in the right direction ?
I'm new to Splunk and still getting used to extracting data, I'm looking to find out how to get the total number of logs which go to an index in a set time period ? (24 hours)
Or even how to get all the Indexes currently in Splunk and log source and number of logs in last 24hours.
Many thanks for any help provided.
Hi DDewarSplunk.
for one index, try:
index=your_index earliest=-24h@h latest=now
| stats count
If you have more indexes, try:
index=* earliest=-24h@h latest=now
| stats count by index
Bye.
Giuseppe
| tstats count where index=* by index
Super late to the party, but this query will get it done for everythign but internals at a fraction of the time.
Please install below app from splunk base. It will give you overall idea about your host, index and sourcetype,
https://splunkbase.splunk.com/app/2949/
If above app is not working out, please try with below query,
| tstats count as Total where index=* host=* sourcetype=* by index source sourcetype
or
index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5
Thanks Giuseppe that's great,
I've been adding a dedup etc and can better understanding how to query.
Can I ask about the | stats count by index
Is this counting "Events" or actual log files sent up to Index ?
I need to see how many log files are sent up, maybe its one in the same thing.
Thanks again
D
Hi DDewarSplunk.
for one index, try:
index=your_index earliest=-24h@h latest=now
| stats count
If you have more indexes, try:
index=* earliest=-24h@h latest=now
| stats count by index
Bye.
Giuseppe
Hi DDewarSplunk.
beware: if you use dedup command you haven't the real total count of events sent to Indexes!
Anyway stats count by index gives you the number of events for each index, if you want the number of sources, you have to use
stats dc(sources) as sources by index
you can also display both the information:
index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index
Bye.
Giuseppe
P.S.: if this answer is good for you, please remember to accept or upvote it
Many Thanks G
D
Thanks Giuseppe I appreciate your time with this.
I am running this and it shows me the total "events" (Huge number)
| eventcount index=* earliest=-24h@h latest=now summarize=false
| dedup index
| sort count desc
If I run your latest then I get an error :-Error in 'stats' command: The argument 'stats' is invalid.
Any ideas ? 😞
Hi DDewarSplunk.
you don't need to use eventcount, in addition if you have dedup index count will always be 1.
What do you want to display the number of events for each index? the number of sources?
If you want the total events, you can use addcoltotals
index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index
| addcoltotals labelfield=index
See Distributed Monitoring Console
Bye.
Giuseppe