Hello,
This to me seems like a rather easy question to have answered but I'll be if I can find one.
I'm looking to create a report on the first day of the month that will provide me the total count of indexed events from the previous month.
The use case is to provide the total number. I would also like as "nice to have" the total broken down over index as well. But the total number is really what is needed at this point.
Thanks in advance for helping the rookie.
You would need this search to run faster so try something like this
| tstats count WHERE index=* by index | addcoltotals labelfield=index label=ALL
Select the timerange as previous month OR from -1mon@mon to @mon
This will make up a nice speedy chart report:
| tstats count AS myCount WHERE index=* by index, _time
| where _time > relative_time(now(), "-1mon@mon") AND _time < relative_time(now(), "@mon")
| timechart span=1mon sum(myCount) AS event_count by index
Thanks for the quick reply everyone. Each one of the answers has it's own twist so I'll play around with them and see what each has to offer. Again, thanks very much for the quick and great help.
Like this:
index=* OR index=_* earliest=-1mon@mon latest=-0mon@mon | stats count by index | addcoltotals | fillnull value=TOTAL
I believe he wants _index_earliest and _index_latest because that is the date/time the event was indexed versus the date/time of the actual events.
Try a combination of dbinspect and the time picker:
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Dbinspect
if time picker isnt working then you could run this potentially "heavy" search instead:
index=* _index_earliest=-1month@month _index_latest=@month | stats count by index
do note that when using _index_latest, timezones matter!
I've seen people ingesting data into indexers on west coast using heavy forwarders on east coast timestamps. In effect, the indexers believe the data arriving from the east coast 4 hours into the future.... so _index_latest=-4h was needed to see all of the events even though the events were occurring at the same space/time. I dont know if you have a geographically dispersed setup or not, but good to know for future reference.