Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search a count of events by index-name every day and output a table with certain numeric and case formatting?

crazyeva
Contributor
‎12-09-2015 11:52 PM

All I want is a table like this with a little style:

_time         INDEX1 (events)    INDEX2 (events)    INDEX3 (events)
2015-12-03         822               2,211             1,312,118
2015-12-02        1,133              2,104              982,127
2015-12-01        1,320              2,612              991,815

"a little style" means all numbers with commas, convert all lower-case index-name to upper-case letter.
First I run a summary search everyday as *|sitimechart span=1d count by index
Then my search string:

index=summary search_name="events count summary"
 [search index=summary search_name="events count summary" earliest=-5d | fields orig_index | return 1000 orig_index]      
## trying to ignore old indexes.
| bin _time span=1d 
| stats count by _time orig_index 
| rename orig_index as index 
| append [search earliest=-0d@d | fields index | bin _time span=1d | stats count by _time index]
## append today's events
| fieldformat count=tostring(count,"commas") 
| eval index=upper(index)+" (events)"
| xyseries _time index count 
| fields - VALUE_* 
## remove some unexpected fields
| sort - _time

but all commas get lost after the xyseries command.
Could anyone help me with this? or just ignore all above and offer me a pretty one?

Another problem:

...| stats count by _time index | timechart values(count) by index span=1d

I first use timechart instead of xyseries, any other numerical field is OK, but 'count', it combines _time to months and makes values(count) a multivalue field. That confused me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 02:46 AM

Try eval count=tostring(count,"commas") instead of fieldformat count=tostring(count,"commas")

Not sure about your exact requirement but try below search also after setting the time range to last 5 days

|tstats count where index=* by _time index|eval index=upper(index)+" (events)" |eval count=tostring(count, "commas")|xyseries _time index count
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 02:46 AM

Try eval count=tostring(count,"commas") instead of fieldformat count=tostring(count,"commas")

Not sure about your exact requirement but try below search also after setting the time range to last 5 days

|tstats count where index=* by _time index|eval index=upper(index)+" (events)" |eval count=tostring(count, "commas")|xyseries _time index count
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

crazyeva
Contributor
‎12-10-2015 06:56 AM

Thank you! Just replacing fieldformat with eval has solved my problem.
I have tried |tstats. That should be much prettier for my requirement.
But I still get a problem: I am not checking only last 5 days' statistics.
I mean the results should remain only the fileds(indexes) that have some events indexed in the last 5 days, so I won't see those 'blank' or 'null' or '0' after sorted by -_time, at least not in the first 5 lines.
I used |search [search tstats count where index=* earliest=-5d by _time index|return 100 index ] after |tstatscommand, trying to restrict indexes range, but failed.
Is there any way to get rid of my turbid search? as http://postimg.org/image/a8w4tdtd3/

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎12-10-2015 02:13 AM

Hi can you mabe offer an example or a screenshot of what your results look like after the "--append today's events" step. So we can offer you a solution based on this result.

0 Karma
Reply
Solved! Jump to solution

crazyeva
Contributor
‎12-10-2015 06:30 AM

Hi, tom
Thank you. I have captured some screenshots.
This is what I want: http://postimg.org/image/a8w4tdtd3/
And this at first troubled me a lot: http://postimg.org/image/8dzj6i86x/
I think renjith just solved my problem, according to him, I replaced fieldformat with eval, all commas came back.
I append a subsearch earliest=-0d@d so that I can see current day's count. otherwise the earliest edit:latest day will be yesterday, cause summary search is not yet triggered today.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...