Solved: I have a need to count the number of events ingest...

paulcurry · ‎02-25-2025

I would like to get a count of events of all data ingested for 2024. I have hundreds of indexes and all data over 90 days goes to DDAA. I can use "eventcounts" for the searchable data and just multiply by 4 for an estimate.

Using:

| eventcount summarize=false index=*
| stats sum(count) as total_events by index
| fieldformat total_events=tostring(total_events,"commas")
| addcoltotals

Is there a way to get eventcounts for archived data?

richgalloway · ‎02-25-2025

Archived data must be restored before it can be searched.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

paulcurry · ‎02-26-2025

That's what I thought. Thank you for confirming.

richgalloway · ‎02-25-2025

Archived data must be restored before it can be searched.

---
If this reply helps you, Karma would be appreciated.

I have a need to count the number of events ingested for 2024.

stats

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

I have a need to count the number of events ingested for 2024.

stats

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps