Splunk Search

eventcount - spanning over time

brdr
Contributor

I'm attempting to write a search using eventcount command. I want to graph the number of events in my index/sourcetype per day over a span of 1 week. Can I use the eventcount for this? I'm not having much luck.

| eventcount summarize=false index=myindex sourcetype=mysourcetype 
| timechart span=1d count
1 Solution

somesoni2
Revered Legend

The eventcount command just gives the count of events in the specified index, without any timestamp information. Since your search includes only the metadata fields (index/sourcetype), you can use tstats commands like this, much faster than regular search that you'd normally do to chart something like that.

| tstats count WHERE index=myindex sourcetype=mysourcetype by _time span=1d 

You might have to add | timechart span=1d sum(count) as count at the end if the chart doesn't look continuous.

View solution in original post

somesoni2
Revered Legend

The eventcount command just gives the count of events in the specified index, without any timestamp information. Since your search includes only the metadata fields (index/sourcetype), you can use tstats commands like this, much faster than regular search that you'd normally do to chart something like that.

| tstats count WHERE index=myindex sourcetype=mysourcetype by _time span=1d 

You might have to add | timechart span=1d sum(count) as count at the end if the chart doesn't look continuous.

brdr
Contributor

great. thank you.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...