Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monthly event count

goat
Explorer
‎11-09-2010 02:23 PM

I'm trying to get a monthly event count for all indexed data on a splunk server. I've searched on how to do it, but I've had no luck. Any help would be greatly appreciated.

Tags (2)
Reply

araitz
Splunk Employee
Splunk Employee
‎11-09-2010 04:30 PM

The timechart command that Ziegfried gave you will give you the best performance. Make sure you run this in the "Advanced Charting" view with the "Enable Preview" checkbox un-checked.

Really though, the best way to do this will only work going forward.

Create a saved search that runs at the end of each month and summarizes the following result:

| eventcount summarize=false | stats sum(count) as count

Give it a marker like "monthly_event_count". You can then use several techniques such as the 'delta', 'eval', 'timechart', or 'stats' command to create a monthly event count. Here is an example using delta:

index=summary marker="monthly_event_count" earliest=-3m@m | delta count as count
Reply

goat
Explorer
‎11-09-2010 04:43 PM

Thanks all! I appreciate the input and the prompt feedback. I will follow your advise.

0 Karma
Reply

ziegfried
Influencer
‎11-09-2010 02:30 PM 
* | timechart span=1mon count

or

* | stats count by date_month, date_year
Reply

goat
Explorer
‎11-09-2010 04:04 PM

Thanks ziegfried,

That works; however the query take forever to run. I was hoping that info is also stored somewhere in the metrics logs, hence quicker to query.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...