Splunk Search

Indexed Events Per Minute

HeinzWaescher
Motivator

Hi,

is it possible to write a search, that shows the total count of events by indextime (span=1m)?

Best

Heinz

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi HeinzWaescher,

Could it be you are looking for eventcount ?

Cheers, MuS

View solution in original post

lukejadamec
Super Champion

Try this: UPDATED with a search that works.

index=main |  eval indexed_time=strftime(_indextime, "%+") | timechart span="1m" count(indexed_time)

lukejadamec
Super Champion

Cool, so you're all set then?

0 Karma

HeinzWaescher
Motivator

hey,

renaming _time works. just try out a very simple search:

your search | eval _time=now() | timechart count

0 Karma

lukejadamec
Super Champion

I don't think calling _indextime _time is going to change the time used by timechart.
I think what you want to do is extract the minute from the _indextime field, and then count by that minute.

0 Karma

HeinzWaescher
Motivator

Hi,

but this search is using _time and not the indextime, right? And _time is using a timestamp of the event.
So for my purposes the timechart should use the indextime.

Could this be a correct approach?

index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time

I get results, but have to option to check them back

0 Karma

lukejadamec
Super Champion

Thanks, learn something new every day. Also, learned that this search I posted give the wrong results... Updating it now.

0 Karma

lguinn2
Legend

FYI, _indextime=* is unnecessary as all events have the _indextime field

The sort and the table commands are likewise unneeded, as stats already does these functions.

Otherwise, this is fine.

0 Karma

MuS
Legend

Hi HeinzWaescher,

Could it be you are looking for eventcount ?

Cheers, MuS

ahjmcaleer
Engager

I downvoted this post because the link no longer works.

0 Karma

MuS
Legend

@ahjmcaleer, down voting a over three years old post is pretty harsh .... but I'm also here to help, so find the most recent link here http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Eventstats

I'm looking forward for your upvote 😉

HeinzWaescher
Motivator

Hey MuS,

thanks for the new input. This search works fine and gives the same results as the search I tried out earlier:

index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time

0 Karma

MuS
Legend

Hi Heinz, now that I'm able to test things I would suggest that you use something like this:

index=* | bucket span=1m _indextime | eval myTime=strftime(_indextime, "%+") | chart count by myTime

timechart uses _time underneeth and with chart you can define 'over' and 'by' clauses.

MuS
Legend

Maybe something like

YourSearch | bucket _indextime span=1m | stats count by _indextime

HeinzWaescher
Motivator

Hi,

I already had a look at this, but don't know how to achieve me goal with it

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...