- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search to calculate these totals to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I need to do the following calculations and return them in their own single value visualization. Any thoughts on the timechart search to use?
- Total Number of Systems
- Total Volume Indexed
- Total Number of Events
- Total Number of Sourcetypes
- Total Volumes transferred per day
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these (pick your timeframe)
*Total Number of Systems *
index=yourindex | stats dc(host) as hosts
*Total Volume Indexed*
index="_internal" source="*metrics.log" group="per_host_thruput" | stats sum(kb) | sort - sum(kb)
*Total Number of Events*
| metadata type=sourcetypes | stats sum(totalCount) as totalevents
*Total Number of Sourcetypes *
| metadata type=sourcetypes index=* | stats count
*Total Volumes transferred per day*
Not sure what this means
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these (pick your timeframe)
*Total Number of Systems *
index=yourindex | stats dc(host) as hosts
*Total Volume Indexed*
index="_internal" source="*metrics.log" group="per_host_thruput" | stats sum(kb) | sort - sum(kb)
*Total Number of Events*
| metadata type=sourcetypes | stats sum(totalCount) as totalevents
*Total Number of Sourcetypes *
| metadata type=sourcetypes index=* | stats count
*Total Volumes transferred per day*
Not sure what this means
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - is there any way to put this all in the form of a single value trendline visual so that I can monitor changes for each. The top 4 questions will be over 30 days. The last one is per day.
With regards to the "Total Volume Indexed" how would I set this for specific indexes(all of the above are for specific indexes)
"Total Volume transferred per day" would be the amount of data indexed per day to a specific index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean by "all in the form of a single values trendline visual". You cannot combine these into to one single value visualization, if that's what you are asking. Single Value shows only one value, hence single value. What you can do is create a dashboard with a single value for each.
To get the total volume for a specific index, you can add index=nameofindex to the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply. Yes they are all separate single value viz's..
I need them to display changes per month. IE - total number of events would show the single value with either an arrow up or down depending on the increase or decrease since the last month.. I need that sort of thing for each separate visual I am creating(hosts, sourcetypes, volume etc).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah!!! In that case, change the stats command to timechart like this and run it over 2 months (or add earliest=-2mon@mon)
... | timechart span=1mon count partial=f
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
