Splunk Search

Use of Count by Date in |metadata type=hosts

hcheang
Path Finder

Hello. I would like to know if there is any speicific - convenient - way to perform stats count by various date.

Using |metadata type=hosts |fields host totalCount, I get something like this

host               totalCount
    A                    5
    B                    27
    C                    48
    D                    95

I would like to perform stats count by name over a period of time by date

but the problem is that the log does not come with the timestamp.

As a result, I've been manually performing
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-2d@d latest -d@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-3d@d latest -2@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-4d@d latest -3@d
... ... ...
and so on.

Is this the only way or is there any easier way to run the query to collect all the counts for date to get something like this;

  host      12/04/14      12/05/14      12/06/14      ...
    A         5           10              ...
    B         27          12              ...
    C         48          40              ...
    D         95          25              ...

Thanks in advance!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The metadata command doesn't contains the time field for when the report was generated. Try this workaround:-

| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date

hcheang
Path Finder

The chart it is generating is exactly what I want but the problem is that it is giving the wrong count.

Moreover, after 2 days count (as of Today, 2014-12-10, 2014-12-11), all I'm getting is 0 for the count which isn't true.

Any suggestion?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

All events have the _time field automatically added by Splunk. You can use that to generate your reports.

---
If this reply helps you, Karma would be appreciated.
0 Karma

hcheang
Path Finder

It's in metadata format in fact.

|metadata type=hosts

And no, I 've tried |metadata type=hosts|stats count by _time

and it gives nothing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...