Monthly event count

goat · ‎11-09-2010

I'm trying to get a monthly event count for all indexed data on a splunk server. I've searched on how to do it, but I've had no luck. Any help would be greatly appreciated.

araitz · ‎11-09-2010

The timechart command that Ziegfried gave you will give you the best performance. Make sure you run this in the "Advanced Charting" view with the "Enable Preview" checkbox un-checked.

Really though, the best way to do this will only work going forward.

Create a saved search that runs at the end of each month and summarizes the following result:

| eventcount summarize=false | stats sum(count) as count

Give it a marker like "monthly_event_count". You can then use several techniques such as the 'delta', 'eval', 'timechart', or 'stats' command to create a monthly event count. Here is an example using delta:

index=summary marker="monthly_event_count" earliest=-3m@m | delta count as count

goat · ‎11-09-2010

Thanks all! I appreciate the input and the prompt feedback. I will follow your advise.

ziegfried · ‎11-09-2010

* | timechart span=1mon count

or

* | stats count by date_month, date_year

goat · ‎11-09-2010

Thanks ziegfried,

That works; however the query take forever to run. I was hoping that info is also stored somewhere in the metrics logs, hence quicker to query.

Monthly event count

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk