Report on data present in index for the past 90 da...

uayub · ‎05-16-2014

Hi - Can someone assist in generating a report showing that data is present in the main index for the past 90 days. This is a PCI requirement. This report should show the various months and amount of data in a chart or tabular format.

Thanks
UA

lguinn2 · ‎05-16-2014

This should work

index=main | bucket _time span=1mon | stats count as EventCount by _time source host

lguinn2 · ‎05-18-2014

Thanks @martin_mueller, I edited my answer to include _time

I hadn't thought of using tstats like that

martin_mueller · ‎05-16-2014

180x speedup for a 50GB SplunkIT index on my PC:

tstats ran first, so any cache warming effects were in favour of stats 🙂

martin_mueller · ‎05-16-2014

Shouldn't the stats also be grouped by _time to show the various months?

Also, this should do the same and be orders of magnitude faster:

| tstats count as EventCount where index=main by _time source host span=1mon

lguinn2 · ‎05-16-2014

Sorry, my bad

uayub · ‎05-16-2014

It says the argument host in invalid and does not execute.

Report on data present in index for the past 90 days - for Audit purposes

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?