Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reporting total scanned events in emailed search results

Akita881
New Member
‎11-20-2012 03:20 PM

After running a search the display above the time bar will show X amount of matching events, indicating the number of events scanned through to produce the results. I would like to include that number in the output of the search, which I have emailed to me. Currently the email only contains the table of results, without the total events scanned. Any help would be appreciated.

Tags (1)
0 Karma
Reply

kplatte
New Member
‎01-09-2017 01:43 PM

The information you are looking for are search parameters; searchCount and resultCount. A complete description is located under Search properties:
gives the complete number of events scanned and resultCount gives the number that met your search parameters.

0 Karma
Reply

mmacvicar_splun
Splunk Employee
Splunk Employee
‎06-20-2017 03:11 PM

@kplatte you are referring to the job inspector http://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector values scanCount and resultCount.

Per this question https://answers.splunk.com/answers/488913/which-search-commands-allow-you-to-display-search.html it requires some effort to get those results in a query.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 03:29 AM

Could you post the query used to create the table? It's probably possible to mesh my crude way in there somewhere to do the counting before the charting.

0 Karma
Reply

Akita881
New Member
‎11-21-2012 03:18 AM

I appreciate the response. Thanks. However I was not clear in my original posting. Above the timeline bar graph I will see, for example, 87,556 events scanned and my output table may only have 3 rows. I would like to have the 87,556 events scanned appear in mu output table somewhere. Thanks.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 12:12 AM

A crude way would be to sum up a field containing 1:

... | eval eventcount=1 | addcoltotals eventcount

That's assuming the number of table rows equals the number of events scanned.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...