Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Report on data present in index for the past 90 days - for Audit purposes

uayub
Path Finder
‎05-16-2014 04:07 PM

Hi - Can someone assist in generating a report showing that data is present in the main index for the past 90 days. This is a PCI requirement. This report should show the various months and amount of data in a chart or tabular format.

Thanks
UA

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-16-2014 04:12 PM

This should work

index=main | bucket _time span=1mon | stats count as EventCount by _time source host
0 Karma
Reply

lguinn2
Legend
‎05-18-2014 04:14 PM

Thanks @martin_mueller, I edited my answer to include _time

I hadn't thought of using tstats like that

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 07:11 PM

180x speedup for a 50GB SplunkIT index on my PC:

alt text
alt text

tstats ran first, so any cache warming effects were in favour of stats 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 05:39 PM

Shouldn't the stats also be grouped by _time to show the various months?

Also, this should do the same and be orders of magnitude faster:

| tstats count as EventCount where index=main by _time source host span=1mon
Reply

lguinn2
Legend
‎05-16-2014 04:27 PM

Sorry, my bad

0 Karma
Reply

uayub
Path Finder
‎05-16-2014 04:17 PM

It says the argument host in invalid and does not execute.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...