Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search total events by sourcetype using tstats with timechart to put in a summary index?

mwdbhyat
Builder
‎08-16-2016 04:01 AM

Hi,

I need a top count of the total number of events by sourcetype to be written in tstats(or something as fast) with timechart put into a summary index, and then report on that SI. Using sitimechart changes the columns of my inital tstats command, so I end up having no count to report on. Any thoughts? My initial search before the sitimechart is: 

| tstats count where index=main* groupby sourcetype _time

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-16-2016 04:20 AM

try this one - 

 | tstats count WHERE index=* by sourcetype _time

or, main* is required, then

 | tstats count WHERE index=main* by sourcetype _time
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-16-2016 04:20 AM

try this one - 

 | tstats count WHERE index=* by sourcetype _time

or, main* is required, then

 | tstats count WHERE index=main* by sourcetype _time
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

mwdbhyat
Builder
‎08-16-2016 04:43 AM

I found out the issue - I was just being an idiot and wrote my si command differently to the actual timechart. Thanks anyway!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-16-2016 04:47 AM

regarding that timechart, you can check this one..

| tstats count WHERE index=main by _time host sourcetype span=30m | timechart span=30m sum(count) by sourcetype

if the issue is resolved, can you accept this answer.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...