Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Stats summary help? Only linux systems showing up

dave_rook
Engager
‎02-09-2012 08:08 AM

I'm using this query right now:
stats count by host, source, date_mday

It only lists Linux hosts but lists the data exactly as I need. We've got a bunch of Windows boxes and I'm not sure exactly why the filtering is happening. I'm guessing because of date_ mday. The reason I'm using date_ mday is because I want to break down the count of log data by host and by source so that I can make sure I'm collecting everything as expected. Should I be using something based off _time? Is there a better way to get the summary I'm looking for?

I'm guessing this is something fairly simple, but I'm pretty new to splunk.

0 Karma
Reply

lguinn2
Legend
‎02-09-2012 08:28 AM

date_mday is created by Splunk, based on the time. This field exists for all events, regardless of source.

What you are showing is just the command part of a search string. Can you show the entire search string?

In the meantime, are any other queries working? When you login to Splunk, do you see any Windows data on the Summary page? Is the Windows data perhaps in a different index?

Reply

lguinn2
Legend
‎02-09-2012 11:34 AM

Weird. Well, try this:

splunk_server="SERVERNAME" |
eval date_mday = tonumber(strftime(_time,"%d")) |
stats count by host source date_mday

0 Karma
Reply

dave_rook
Engager
‎02-09-2012 08:37 AM

When I use the same search string without date_mday, the Windows sources show up as I'd expect.

The only other detail is that I'm limiting my search to a specific splunk server to limit the scope of my search:
splunk_server="SERVERNAME" | stats count by host, source, date_mday

I did set a date restriction (2012-02-01 00:00:00 to now). I'm not aware of any other input I might be excluding, as this is all I'm specifying in splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...