Splunk Search

How to get a count of all of the events in all datamodels with tstats

Communicator

Hi, I am trying to get a list of datamodels and their counts of events for each, so as to make sure that our datamodels are working.

I have got a list of the datamodels here:

| datamodel | spath input=_raw output=datamodelname path="modelName" | table datamodelname

However, when I append the tstats command onto this, as in here, Splunk reponds with no data and "datamodel 'datamodelname' not found".

| tstats count from datamodel=datamodelname

I am guessing that the "datamodel" parameter in tstats should be a literal and not a variable field? If so, how do I execute this?

Kindest regards,

BlueSocket

0 Karma

Explorer

This is a very dumb solution, but I was looking for a quick and dirty way to see the numbers. Maybe this might spark another idea with someone else.

I amended the search and did this:

| datamodel
| spath input=_raw output=datamodelname path="modelName"
| table datamodelname
| map search="|tstats count($datamodelname$) count from datamodel=$datamodelname$"

So this gave me this table:
alt text

Match the zero to the count table, and you get the number of events.

Again, I know it's a lame way to do it, but it works for my intents.

0 Karma

SplunkTrust
SplunkTrust

You are probably going to want to use a map command based upon the output of the initial command. I don't have one handy, but I'll check and see if I can put one together when i get a chance, if no one has solved this for you by then.

Communicator

Thanks - I got a bit further, but not quite there with this query:

| datamodel | spath input=_raw output=datamodelname path="modelName" | table datamodelname | map search="|tstats count from datamodel=$datamodelname$ | eval datamodel=$datamodelname$ | table datamodel, count"

And I get this:

datamodel            count
----------------            --------
                             1928

I get the index and the count, but not the datamodel in the table. I am looking for:

datamodel      count
----------------      --------
security             1928

I tried:

0 Karma

Builder

This is what I have thus far. You have to specify the datamodel (which is fine as I'm not using all of them) but I can't seem to find the name of the field that has the datamodel name either.

| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Web 
| append 
    [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Malware] 
| append 
    [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Intrusion_Detection ] 
| eval "Start time"=strftime(min, "%c") 
| eval "End time"=strftime(max, "%c") 
| eval "Event count" = count 
| fields "Start time" "End time" "Event count"

Communicator

I can't believe that no one has got an idea about this (and there have been 55 views with 44 people following this question)!