Print number of returned results with data if > 10...

OldManEd · ‎01-27-2014

I have a “stats” search that returns millions of results. Splunk can only show 10,000. That’s OK but what I would like is the very first row on the search results page to show an accurate count of the number of results and then the 10,000 rows of data, in table format that I’m getting now, after that. Is this possible?
~Ed

OldManEd · ‎01-28-2014

OK, here's what I came up with that works for me. I used the "dedup" and "accum" functions of Splunk. The dedup got rid of duplicate events and the accum gave me a running total. To get the total number of results, I simply run a sort on the resulting "total_count" column. Thanks for everyone's help on this one.

index="indexname" source="logname" host="*partialhostname*" | eval fieldNameTotal = fieldname1."-".fieldname2 | dedup fieldNameTotal | stats count by fieldNameTotal, fieldname3 | accum count AS total_count

somesoni2 · ‎01-28-2014

One more option that your can try.

index="indexname" source="logname" host="partialhostname" | eval fieldNameTotal = fieldname1."-".fieldname2 | stats count by fieldnameTotal, fieldname3 | addcoltotals | eval fieldname3 =if(isnull(fieldname3), "#Total Rows",fieldname3 ) | sort fieldname3

somesoni2 · ‎01-28-2014

It should be the first row in the table and "#Total Rows" should appear under fieldname3 column.

OldManEd · ‎01-28-2014

I tried the search above and I got my table fine, but I couldn't find the "#Total Rows" anywhere in the report.

martin_mueller · ‎01-28-2014

A caveat for using sort: It doesn't really like large result sets. You will at least need to specify a count of 0 to overcome the default restriction of 10000 events.

martin_mueller · ‎01-27-2014

You could append this to your search to get a count of events added to each row:

... | eventstats count

martin_mueller · ‎01-28-2014

For example you could add a PostProcess module as a sibling of your Table module, do a | stats count there, and display that in an HTML module.
That's assuming you're in an AdvancedXML view. I'm sure similar things can be done using the SplunkJS stack, not so sure about SimpleXML.

OldManEd · ‎01-28-2014

Martin, how would I do this?

martin_mueller · ‎01-28-2014

If you already have a field called count you can do this instead:

... | eventstats count as total_count

Here's an entirely different idea: Leave your table as-is, and add an HTML panel above the table that prints out the number of results separately from the table.

OldManEd · ‎01-28-2014

Yes, this will work but not really what I'm looking for. Bedsides, I'm already using the "stats" and "count" field. The search looks like this;

index="indexname" source="logname" host="partialhostname" | eval fieldNameTotal = fieldname1."-".fieldname2 | stats count by fieldnameTotal, fieldname3 | sort fieldname3

Any other ideas?

Print number of returned results with data if > 10,000

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life