Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Stats Count by day ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a query that gives me four totals for a month. I am trying to figure out how to show each four total for each day searched ?
Here is what I have so far:
index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished"
earliest=-0month@month latest=now
| bucket _time span=day
| stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount
count(eval(searchmatch("File sent to MFS"))) as MFSCount
count(eval(searchmatch("File download sent to user"))) as DWNCount
count(eval(searchmatch("HTTP upload finished"))) as HTTPCount
| table SFTPCount MFSCount DWNCount HTTPCount
SFTPCount MFSCount DWNCount HTTPCount
| 30843 | 535 | 1584 | 80 |
Now to show the results by each day ?
I have a line to specify my bucket ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I understand the question. You already bucketed _time. The simplest is to just use it as groupby
index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished"
earliest=-0month@month latest=now
| bucket _time span=day
| stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount
count(eval(searchmatch("File sent to MFS"))) as MFSCount
count(eval(searchmatch("File download sent to user"))) as DWNCount
count(eval(searchmatch("HTTP upload finished"))) as HTTPCount by _timeWill this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sjringo You're so close... you need a "BY _time" on your stats line
index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished"
earliest=-0month@month latest=now
| bucket _time span=day
| stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount
count(eval(searchmatch("File sent to MFS"))) as MFSCount
count(eval(searchmatch("File download sent to user"))) as DWNCount
count(eval(searchmatch("HTTP upload finished"))) as HTTPCount BY _timeIf this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I understand the question. You already bucketed _time. The simplest is to just use it as groupby
index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished"
earliest=-0month@month latest=now
| bucket _time span=day
| stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount
count(eval(searchmatch("File sent to MFS"))) as MFSCount
count(eval(searchmatch("File download sent to user"))) as DWNCount
count(eval(searchmatch("HTTP upload finished"))) as HTTPCount by _timeWill this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, I was trying to do the BY _time after each count ((...)) AS ... by _time instead of doing it after the very last one...
I knew I was close I just was not seeing it !!!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
