Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Report on data present in index for the past 90 days - for Audit purposes

uayub
Path Finder
‎05-16-2014 04:07 PM

Hi - Can someone assist in generating a report showing that data is present in the main index for the past 90 days. This is a PCI requirement. This report should show the various months and amount of data in a chart or tabular format.

Thanks
UA

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-16-2014 04:12 PM

This should work

index=main | bucket _time span=1mon | stats count as EventCount by _time source host
0 Karma
Reply

lguinn2
Legend
‎05-18-2014 04:14 PM

Thanks @martin_mueller, I edited my answer to include _time

I hadn't thought of using tstats like that

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 07:11 PM

180x speedup for a 50GB SplunkIT index on my PC:

alt text
alt text

tstats ran first, so any cache warming effects were in favour of stats 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 05:39 PM

Shouldn't the stats also be grouped by _time to show the various months?

Also, this should do the same and be orders of magnitude faster:

| tstats count as EventCount where index=main by _time source host span=1mon
Reply

lguinn2
Legend
‎05-16-2014 04:27 PM

Sorry, my bad

0 Karma
Reply

uayub
Path Finder
‎05-16-2014 04:17 PM

It says the argument host in invalid and does not execute.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...