Solved: How to search total events by sourcetype using tst...

mwdbhyat · ‎08-16-2016

Hi,

I need a top count of the total number of events by sourcetype to be written in tstats(or something as fast) with timechart put into a summary index, and then report on that SI. Using sitimechart changes the columns of my inital tstats command, so I end up having no count to report on. Any thoughts? My initial search before the sitimechart is:

| tstats count where index=main* groupby sourcetype _time

Thanks

inventsekar · ‎08-16-2016

try this one -

 | tstats count WHERE index=* by sourcetype _time

or, main* is required, then

 | tstats count WHERE index=main* by sourcetype _time

View solution in original post

inventsekar · ‎08-16-2016

try this one -

 | tstats count WHERE index=* by sourcetype _time

or, main* is required, then

 | tstats count WHERE index=main* by sourcetype _time

mwdbhyat · ‎08-16-2016

I found out the issue - I was just being an idiot and wrote my si command differently to the actual timechart. Thanks anyway!

inventsekar · ‎08-16-2016

regarding that timechart, you can check this one..

| tstats count WHERE index=main by _time host sourcetype span=30m | timechart span=30m sum(count) by sourcetype

if the issue is resolved, can you accept this answer.

How to search total events by sourcetype using tstats with timechart to put in a summary index?

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud