Solved: What are better ways to provide counts?

santosh11 · ‎09-26-2019

Dear All,

There are 3 source types and we are pushing data into same index we need to give the count based on each source type.
I replied:

 Index= earliest ="-1y" latest ="now" | stats count by sourcetype.

Is there any faster way to provide counts apart from this way?

Regards,
Santosh

adonio · ‎09-26-2019

try this:
| tstats count as event_count where index=<YOUR_INDEX_HERE> by sourcetpye
you can use the time picker or earliest and latest as tstats can use these arguments

hope it helps

View solution in original post

richgalloway · ‎09-26-2019

Try tstats, although searching a year of data is likely to be slow regardless of the method used.

| tstats count where index=foo by sourcetype

---
If this reply helps you, Karma would be appreciated.

adonio · ‎09-26-2019

try this:
| tstats count as event_count where index=<YOUR_INDEX_HERE> by sourcetpye
you can use the time picker or earliest and latest as tstats can use these arguments

hope it helps

What are better ways to provide counts?

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk