Splunk Search

How to find out how many logs an index gets in a 24-hour period?

DDewarSplunk
New Member

Afternoon Splunk Gurus

I wonder if you would be as kind to help \ point me in the right direction ?
I'm new to Splunk and still getting used to extracting data, I'm looking to find out how to get the total number of logs which go to an index in a set time period ? (24 hours)

Or even how to get all the Indexes currently in Splunk and log source and number of logs in last 24hours.

Many thanks for any help provided.

0 Karma
1 Solution

gcusello
Legend

Hi DDewarSplunk.
for one index, try:

index=your_index earliest=-24h@h latest=now
| stats count

If you have more indexes, try:

index=* earliest=-24h@h latest=now
| stats count by index

Bye.
Giuseppe

View solution in original post

0 Karma

sbbadri
Motivator

@DDewarSplunk

Please install below app from splunk base. It will give you overall idea about your host, index and sourcetype,

https://splunkbase.splunk.com/app/2949/

If above app is not working out, please try with below query,

| tstats count as Total where index=* host=* sourcetype=* by index source sourcetype

or

index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5

0 Karma

DDewarSplunk
New Member

Thanks Giuseppe that's great,

I've been adding a dedup etc and can better understanding how to query.

Can I ask about the | stats count by index
Is this counting "Events" or actual log files sent up to Index ?

I need to see how many log files are sent up, maybe its one in the same thing.

Thanks again

D

0 Karma

gcusello
Legend

Hi DDewarSplunk.
for one index, try:

index=your_index earliest=-24h@h latest=now
| stats count

If you have more indexes, try:

index=* earliest=-24h@h latest=now
| stats count by index

Bye.
Giuseppe

0 Karma

gcusello
Legend

Hi DDewarSplunk.
beware: if you use dedup command you haven't the real total count of events sent to Indexes!

Anyway stats count by index gives you the number of events for each index, if you want the number of sources, you have to use
stats dc(sources) as sources by index
you can also display both the information:

index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index

Bye.
Giuseppe

P.S.: if this answer is good for you, please remember to accept or upvote it

0 Karma

DDewarSplunk
New Member

Many Thanks G

D

0 Karma

DDewarSplunk
New Member

Thanks Giuseppe I appreciate your time with this.

I am running this and it shows me the total "events" (Huge number)

| eventcount index=* earliest=-24h@h latest=now summarize=false
| dedup index
| sort count desc

If I run your latest then I get an error :-Error in 'stats' command: The argument 'stats' is invalid.

Any ideas ? 😞

0 Karma

gcusello
Legend

Hi DDewarSplunk.
you don't need to use eventcount, in addition if you have dedup index count will always be 1.

What do you want to display the number of events for each index? the number of sources?

If you want the total events, you can use addcoltotals

index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index
| addcoltotals labelfield=index

See Distributed Monitoring Console

Bye.
Giuseppe

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!