Hello. I would like to know if there is any speicific - convenient - way to perform stats count by various date.
Using |metadata type=hosts |fields host totalCount, I get something like this
host totalCount
A 5
B 27
C 48
D 95
I would like to perform stats count by name over a period of time by date
but the problem is that the log does not come with the timestamp.
As a result, I've been manually performing
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-2d@d latest -d@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-3d@d latest -2@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-4d@d latest -3@d
... ... ...
and so on.
Is this the only way or is there any easier way to run the query to collect all the counts for date to get something like this;
host 12/04/14 12/05/14 12/06/14 ...
A 5 10 ...
B 27 12 ...
C 48 40 ...
D 95 25 ...
Thanks in advance!
The metadata command doesn't contains the time field for when the report was generated. Try this workaround:-
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
The chart it is generating is exactly what I want but the problem is that it is giving the wrong count.
Moreover, after 2 days count (as of Today, 2014-12-10, 2014-12-11), all I'm getting is 0 for the count which isn't true.
Any suggestion?
All events have the _time field automatically added by Splunk. You can use that to generate your reports.
It's in metadata format in fact.
|metadata type=hosts
And no, I 've tried |metadata type=hosts|stats count by _time
and it gives nothing.