Solved: What are better ways to provide counts?

santosh11 · ‎09-26-2019

Dear All,

There are 3 source types and we are pushing data into same index we need to give the count based on each source type.
I replied:

 Index= earliest ="-1y" latest ="now" | stats count by sourcetype.

Is there any faster way to provide counts apart from this way?

Regards,
Santosh

adonio · ‎09-26-2019

try this:
| tstats count as event_count where index=<YOUR_INDEX_HERE> by sourcetpye
you can use the time picker or earliest and latest as tstats can use these arguments

hope it helps

View solution in original post

richgalloway · ‎09-26-2019

Try tstats, although searching a year of data is likely to be slow regardless of the method used.

| tstats count where index=foo by sourcetype

---
If this reply helps you, Karma would be appreciated.

adonio · ‎09-26-2019

try this:
| tstats count as event_count where index=<YOUR_INDEX_HERE> by sourcetpye
you can use the time picker or earliest and latest as tstats can use these arguments

hope it helps

What are better ways to provide counts?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

What are better ways to provide counts?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions