Splunk Search

How to create a search that can Event count by Vendor/Product by Day for past 30days?

adalbor
Builder

Hey All,

I am trying to create an efficient search that I can schedule and run once a month to create some metrics.

I would like to be able to get a number of events per vendor/product or sourcetype by day for the last 30 days. I was then hoping to use a sparkline to trend that data over those 30 days with each day being a point in that sparkline (or line chart).

I have been looking at tstats but wasn't quite sure how to accomplish this goal as a couple of test searches weren't returning quite what I needed.

Any help would be greatly appreciated!

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @adalbor, if you want to use tstats for faster results make sure your data model includes the _time field and that its accelerated. Once that is done the rest should be easy, you can share your query with us and we can help you improve it 😉

View solution in original post

sandeepmakkena
Contributor

sourcetype=*
|bucket _time span=day
|stats count by _time

This should work.

0 Karma

adalbor
Builder

Does this include every index? The event counts looked pretty low when I ran that.

0 Karma

sandeepmakkena
Contributor

It should include every index. We are only filtering by source type. Or if you think it’s not including you just say index=* and that query.

0 Karma

sandeepmakkena
Contributor

Did this work ?

0 Karma

DavidHourani
Super Champion

Hi @adalbor, if you want to use tstats for faster results make sure your data model includes the _time field and that its accelerated. Once that is done the rest should be easy, you can share your query with us and we can help you improve it 😉

adalbor
Builder

Hey @DavidHourani,
I dont have a data model setup for this. Is that something I should be doing?

0 Karma

DavidHourani
Super Champion

If you want to use tstats you will need to accelerate your data in a data model, yes. How were you using tstats without a DM to access non-indexed fields ?

0 Karma

adalbor
Builder

I am not specifically trying to use tstats, I am more just trying to find the most efficient way to do this.
I wasn't sure if tstats would do the job or not or a stats count.

0 Karma

DavidHourani
Super Champion

Well tstats runs on metadata directly so its the fastest, if you're looking for performance.

You can also go for a summary index containing the values you need for your timechart that could be fast as well.

In anycase you should avoid fetching all the data with

index=YourIndexName | stats yourStats
0 Karma

adalbor
Builder

Yeah thats why I was exploring other options and trying to figure out an advanced search like this as I am fairly new to Splunk world. Piping to stats was slow and inefficient.

0 Karma

DavidHourani
Super Champion

Yeah, you really want to avoid that. Accelerared data models and summary indexing is the way to to when there's a lot of data to search 🙂

Let me know if you need anything else ! And please accept the answer and upvote if it was helpful.

0 Karma

adalbor
Builder

Appreciate the help but I am still not sure where to start or how to accomplish.

0 Karma

DavidHourani
Super Champion

Ahh, ok well. That's the easy part, you got everything in Splunk docs.
Step 1: create you data model and assign the right data to it. That can be found here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Managedatamodels#Create_a_new_data_mode...
Step 2: Accelerate the data model. That can be found here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/HadoopAnalytics/Configuredatamodelacceleration#Ac...
Step 3: query the accelerated data using tstats. You can find that here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Acceleratedatamodels#Using_the_summarie...

Let me know if you need more help with those steps.

Cheers,
David

0 Karma

adalbor
Builder

Once again...thanks for the assistance but docs aren't what I need. Guess Ill figure out on my own

0 Karma

DavidHourani
Super Champion

ummm, okay well judging from the answer below you're looking for something like this :

| metasearch index=*| timechart count by index

Or simply like this if it's a count of events over time :

| metasearch index=*| timechart count

adalbor
Builder

The first metasearch search worked pretty well. Took a little while to run against 7 days of data but I will schedule the search for a low impact time prob overnight.

Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...