Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make the search time faster when including ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gabarrygowin
Path Finder
07-30-2018
01:01 PM
Hi everyone,
Would appreciate your input on a challenge. For our leadership's dashboard we've been asked to include a timechart of total servers (Windows and NIX).
My current search is just taking too long (7 hours). I can cron it for 5:30am and populate the dashboard. They don't need to the minute data, but data would be nice period.
"(index=unix OR index=windows) (sourcetype=WinEventLog* OR source=/var/log/*) (host!=*.ga.com) earliest=-5w@w latest=now
| eval host=upper(host)
| timechart dc(host) AS "Total Servers" span=1Mon
| delta "Total Servers" "
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-30-2018
01:40 PM
I would use tstats command here since your base search uses only the metadata fields (host/source/sourcetype/index-time created fields).
| tstats count WHERE (index=unix OR index=windows) (sourcetype="WinEventLog*" OR source="/var/log/*") (host!="*.ga.com") earliest=-5w@w latest=now by _time host span=1mon
| eval host=upper(host)
| timechart dc(host) AS "Total Servers" span=1mon
| delta "Total Servers"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-30-2018
01:40 PM
I would use tstats command here since your base search uses only the metadata fields (host/source/sourcetype/index-time created fields).
| tstats count WHERE (index=unix OR index=windows) (sourcetype="WinEventLog*" OR source="/var/log/*") (host!="*.ga.com") earliest=-5w@w latest=now by _time host span=1mon
| eval host=upper(host)
| timechart dc(host) AS "Total Servers" span=1mon
| delta "Total Servers"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gabarrygowin
Path Finder
07-31-2018
08:58 AM
Somesoni2 Rocks!! (as usual).
The tstats finished in 16.6 minutes (from 7 hours). This was across 84 Billion events!!
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
