Splunk Search

Total number of events by index over the last month

wtaylor149
Explorer

Hello,
This to me seems like a rather easy question to have answered but I'll be if I can find one.

I'm looking to create a report on the first day of the month that will provide me the total count of indexed events from the previous month.

The use case is to provide the total number. I would also like as "nice to have" the total broken down over index as well. But the total number is really what is needed at this point.

Thanks in advance for helping the rookie.

Tags (1)
0 Karma

somesoni2
Revered Legend

You would need this search to run faster so try something like this

| tstats count WHERE index=* by index | addcoltotals labelfield=index label=ALL

Select the timerange as previous month OR from -1mon@mon to @mon

MuS
SplunkTrust
SplunkTrust

This will make up a nice speedy chart report:

| tstats count AS myCount WHERE index=* by index, _time 
| where _time > relative_time(now(), "-1mon@mon") AND _time < relative_time(now(), "@mon") 
| timechart span=1mon sum(myCount) AS event_count by index

wtaylor149
Explorer

Thanks for the quick reply everyone. Each one of the answers has it's own twist so I'll play around with them and see what each has to offer. Again, thanks very much for the quick and great help.

0 Karma

woodcock
Esteemed Legend

Like this:

index=* OR index=_*  earliest=-1mon@mon latest=-0mon@mon | stats count by index | addcoltotals | fillnull value=TOTAL
0 Karma

jkat54
SplunkTrust
SplunkTrust

I believe he wants _index_earliest and _index_latest because that is the date/time the event was indexed versus the date/time of the actual events.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try a combination of dbinspect and the time picker:

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Dbinspect

if time picker isnt working then you could run this potentially "heavy" search instead:

index=* _index_earliest=-1month@month _index_latest=@month | stats count by index

0 Karma

jkat54
SplunkTrust
SplunkTrust

do note that when using _index_latest, timezones matter!

I've seen people ingesting data into indexers on west coast using heavy forwarders on east coast timestamps. In effect, the indexers believe the data arriving from the east coast 4 hours into the future.... so _index_latest=-4h was needed to see all of the events even though the events were occurring at the same space/time. I dont know if you have a geographically dispersed setup or not, but good to know for future reference.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!