Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monthly event count

goat
Explorer
‎11-09-2010 02:23 PM

I'm trying to get a monthly event count for all indexed data on a splunk server. I've searched on how to do it, but I've had no luck. Any help would be greatly appreciated.

Tags (2)
Reply

araitz
Splunk Employee
Splunk Employee
‎11-09-2010 04:30 PM

The timechart command that Ziegfried gave you will give you the best performance. Make sure you run this in the "Advanced Charting" view with the "Enable Preview" checkbox un-checked.

Really though, the best way to do this will only work going forward.

Create a saved search that runs at the end of each month and summarizes the following result:

| eventcount summarize=false | stats sum(count) as count

Give it a marker like "monthly_event_count". You can then use several techniques such as the 'delta', 'eval', 'timechart', or 'stats' command to create a monthly event count. Here is an example using delta:

index=summary marker="monthly_event_count" earliest=-3m@m | delta count as count
Reply

goat
Explorer
‎11-09-2010 04:43 PM

Thanks all! I appreciate the input and the prompt feedback. I will follow your advise.

0 Karma
Reply

ziegfried
Influencer
‎11-09-2010 02:30 PM 
* | timechart span=1mon count

or

* | stats count by date_month, date_year
Reply

goat
Explorer
‎11-09-2010 04:04 PM

Thanks ziegfried,

That works; however the query take forever to run. I was hoping that info is also stored somewhere in the metrics logs, hence quicker to query.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...