Splunk Search

How to get the event count for the last 24 hours as a scheduled report?

dhavamanis
Builder

can you please tell us, how to get the last 24 hours event count to schedule the report?

1 Solution

sk314
Builder
  1. Save you splunk search.
  2. Click on Settings -> Searches and Reports -> [your saved search]
  3. Schedule it.

If you want count of all events in the last 24 hours you could try this:

* earliest=-24h latest=now | stats count (searches the default index only)

If you want the event count for specific search try this:

[your splunk search] earliest=-24h latest=now| stats count

View solution in original post

sk314
Builder
  1. Save you splunk search.
  2. Click on Settings -> Searches and Reports -> [your saved search]
  3. Schedule it.

If you want count of all events in the last 24 hours you could try this:

* earliest=-24h latest=now | stats count (searches the default index only)

If you want the event count for specific search try this:

[your splunk search] earliest=-24h latest=now| stats count

ArunIndy
Observer

Hello, I tried using the 'earliest' option and I'm getting this error

 

 

<search>
<query>index="mulertf" "$form.env$-glot-product-sapi-v1" AND "Before updating data for GCPN:" |earliest=-24h latest=now | stats count</query>
</search>

 

ArunIndy_0-1641243971762.png

 

0 Karma
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...