Splunk Search

tstats search that I can group over time for each of my indexes

bzsplunk54
New Member

Hello ,
I'm looking for assistance with an SPL search utilizing the tstats command that I can group over a specified amount of time for each of my indexes

I have this command to view the entire ingestion but how can I parse it to show each index?

| tstats count where sourcetype=* by _time span=1d

thank you

Tags (3)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Try this: | tstats count where sourcetype=* by index _time span=1d | timechart sum(count) by index

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Try this: | tstats count where sourcetype=* by index _time span=1d | timechart sum(count) by index

View solution in original post

0 Karma

bzsplunk54
New Member

that is complete awesomeness ! thank you....

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.