Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reporting total scanned events in emailed search results

Akita881
New Member
‎11-20-2012 03:20 PM

After running a search the display above the time bar will show X amount of matching events, indicating the number of events scanned through to produce the results. I would like to include that number in the output of the search, which I have emailed to me. Currently the email only contains the table of results, without the total events scanned. Any help would be appreciated.

Tags (1)
0 Karma
Reply

kplatte
New Member
‎01-09-2017 01:43 PM

The information you are looking for are search parameters; searchCount and resultCount. A complete description is located under Search properties:
gives the complete number of events scanned and resultCount gives the number that met your search parameters.

0 Karma
Reply

mmacvicar_splun
Splunk Employee
Splunk Employee
‎06-20-2017 03:11 PM

@kplatte you are referring to the job inspector http://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector values scanCount and resultCount.

Per this question https://answers.splunk.com/answers/488913/which-search-commands-allow-you-to-display-search.html it requires some effort to get those results in a query.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 03:29 AM

Could you post the query used to create the table? It's probably possible to mesh my crude way in there somewhere to do the counting before the charting.

0 Karma
Reply

Akita881
New Member
‎11-21-2012 03:18 AM

I appreciate the response. Thanks. However I was not clear in my original posting. Above the timeline bar graph I will see, for example, 87,556 events scanned and my output table may only have 3 rows. I would like to have the 87,556 events scanned appear in mu output table somewhere. Thanks.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 12:12 AM

A crude way would be to sum up a field containing 1:

... | eval eventcount=1 | addcoltotals eventcount

That's assuming the number of table rows equals the number of events scanned.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...