After running a search the display above the time bar will show X amount of matching events, indicating the number of events scanned through to produce the results. I would like to include that number in the output of the search, which I have emailed to me. Currently the email only contains the table of results, without the total events scanned. Any help would be appreciated.
The information you are looking for are search parameters; searchCount and resultCount. A complete description is located under Search properties:
gives the complete number of events scanned and resultCount gives the number that met your search parameters.
@kplatte you are referring to the job inspector http://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector values scanCount and resultCount.
Per this question https://answers.splunk.com/answers/488913/which-search-commands-allow-you-to-display-search.html it requires some effort to get those results in a query.
Could you post the query used to create the table? It's probably possible to mesh my crude way in there somewhere to do the counting before the charting.
I appreciate the response. Thanks. However I was not clear in my original posting. Above the timeline bar graph I will see, for example, 87,556 events scanned and my output table may only have 3 rows. I would like to have the 87,556 events scanned appear in mu output table somewhere. Thanks.
A crude way would be to sum up a field containing 1:
... | eval eventcount=1 | addcoltotals eventcount
That's assuming the number of table rows equals the number of events scanned.