Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the fastest way to run a query to get an event count on a timechart per host?

Splunk77
Explorer
‎09-28-2023 12:14 PM

What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I can identify the increase/decrease.

They are all ingested in one index. A query like this will take a while to run if run for about a year. Is there a faster way to get this data?

index=<index_name>
| timechart count by Computer span=1mon

Thanks.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2023 12:41 PM

The tstats command will be faster, but processing a year of data for all hosts will still take a long time.

| tstats prestats=true count where index=foo by _time,host span=1mon
| timechart span=1mon count by host

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...