Splunk Search

Use of Count by Date in |metadata type=hosts

Path Finder

Hello. I would like to know if there is any speicific - convenient - way to perform stats count by various date.

Using |metadata type=hosts |fields host totalCount, I get something like this

host               totalCount
    A                    5
    B                    27
    C                    48
    D                    95

I would like to perform stats count by name over a period of time by date

but the problem is that the log does not come with the timestamp.

As a result, I've been manually performing
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-2d@d latest -d@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-3d@d latest -2@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-4d@d latest -3@d
... ... ...
and so on.

Is this the only way or is there any easier way to run the query to collect all the counts for date to get something like this;

  host      12/04/14      12/05/14      12/06/14      ...
    A         5           10              ...
    B         27          12              ...
    C         48          40              ...
    D         95          25              ...

Thanks in advance!

0 Karma

SplunkTrust
SplunkTrust

The metadata command doesn't contains the time field for when the report was generated. Try this workaround:-

| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date

Path Finder

The chart it is generating is exactly what I want but the problem is that it is giving the wrong count.

Moreover, after 2 days count (as of Today, 2014-12-10, 2014-12-11), all I'm getting is 0 for the count which isn't true.

Any suggestion?

0 Karma

SplunkTrust
SplunkTrust

All events have the _time field automatically added by Splunk. You can use that to generate your reports.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

It's in metadata format in fact.

|metadata type=hosts

And no, I 've tried |metadata type=hosts|stats count by _time

and it gives nothing.

0 Karma