Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for and display the count of events ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
changux
Builder
10-31-2016
02:34 PM
Hi all.
I have a search that begins with:
index="first" OR index="second" sourcetype=*
I need to show a table with a lot of columns. The first should be the total events in a particular sourcetype (data1). Somebody can suggest please an eval syntax to do that?
Regards.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
10-31-2016
02:41 PM
index=first OR index=second | stats count by sourcetype | fields count sourcetype
Maybe I'm misunderstanding the question.
EDIT: Second Attempt:
index=first OR index=second |
stats count by sourcetype field1 field2 field3 |
eventstats sum(count) as total by sourcetype |
fields total sourcetype field1 field2 field3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
10-31-2016
02:41 PM
index=first OR index=second | stats count by sourcetype | fields count sourcetype
Maybe I'm misunderstanding the question.
EDIT: Second Attempt:
index=first OR index=second |
stats count by sourcetype field1 field2 field3 |
eventstats sum(count) as total by sourcetype |
fields total sourcetype field1 field2 field3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
changux
Builder
10-31-2016
02:46 PM
Thanks. I need something like:
index="first" OR index="second" | table EVENTSCOUNTINSOURCETYPEDATA1, field5, field3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
10-31-2016
03:01 PM
Maybe second attempt above is what you're after
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
10-31-2016
02:40 PM
Just a point of advice: Don't use wildcards unless absolutely necessary. In this case, it really isn't doing anything for you at all. Without specifying sourcetype=* it will return all sourcetypes. But it's a horrible habit to get into. Wildcards are evil and should be avoided whenever possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
changux
Builder
10-31-2016
02:43 PM
Thanks for the advice!
Get Updates on the Splunk Community!
Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!
Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...
Introducing Edge Processor: Next Gen Data Transformation
We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...
