- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/4a6e6/4a6e632b7586a40075b70ae6bb9c33968d7c1360" alt="kunalmao kunalmao"
I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck
| tstats count where index=* by index _time
but i want results in the same format as
index=* | timechart count by index limit=50
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch
before index=*
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/62416/6241603976faff6a9ac06e98625dcd3a6f45ea72" alt="DEAD_BEEF DEAD_BEEF"
To add to this post for future readers, if you did want to use tstats, then you could using the following syntax:
| tstats count WHERE (index=*) BY index _time span=1d prestats=t
| timechart span=1d count by index
adjust the span period (on both lines as they must match) to whatever you prefer based on your search (1h, 4h, 5m, etc...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch
before index=*
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0e7b6/0e7b6cd13b4dd187226d908af85514968ba26aae" alt="guarisma guarisma"
I would do it by including _time in the tstats' by statement
| tstats count where index=* by _time index | timechart span=1mon sum(count) by index
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""