- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search a count of events by index-name ever...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All I want is a table like this with a little style:
_time INDEX1 (events) INDEX2 (events) INDEX3 (events)
2015-12-03 822 2,211 1,312,118
2015-12-02 1,133 2,104 982,127
2015-12-01 1,320 2,612 991,815
"a little style" means all numbers with commas, convert all lower-case index-name to upper-case letter.
First I run a summary search everyday as *|sitimechart span=1d count by index
Then my search string:
index=summary search_name="events count summary"
[search index=summary search_name="events count summary" earliest=-5d | fields orig_index | return 1000 orig_index]
## trying to ignore old indexes.
| bin _time span=1d
| stats count by _time orig_index
| rename orig_index as index
| append [search earliest=-0d@d | fields index | bin _time span=1d | stats count by _time index]
## append today's events
| fieldformat count=tostring(count,"commas")
| eval index=upper(index)+" (events)"
| xyseries _time index count
| fields - VALUE_*
## remove some unexpected fields
| sort - _time
but all commas get lost after the xyseries command.
Could anyone help me with this? or just ignore all above and offer me a pretty one?
Another problem:
...| stats count by _time index | timechart values(count) by index span=1d
I first use timechart instead of xyseries, any other numerical field is OK, but 'count', it combines _time to months and makes values(count) a multivalue field. That confused me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try eval count=tostring(count,"commas") instead of fieldformat count=tostring(count,"commas")
Not sure about your exact requirement but try below search also after setting the time range to last 5 days
|tstats count where index=* by _time index|eval index=upper(index)+" (events)" |eval count=tostring(count, "commas")|xyseries _time index count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try eval count=tostring(count,"commas") instead of fieldformat count=tostring(count,"commas")
Not sure about your exact requirement but try below search also after setting the time range to last 5 days
|tstats count where index=* by _time index|eval index=upper(index)+" (events)" |eval count=tostring(count, "commas")|xyseries _time index count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! Just replacing fieldformat with eval has solved my problem.
I have tried |tstats. That should be much prettier for my requirement.
But I still get a problem: I am not checking only last 5 days' statistics.
I mean the results should remain only the fileds(indexes) that have some events indexed in the last 5 days, so I won't see those 'blank' or 'null' or '0' after sorted by -_time, at least not in the first 5 lines.
I used |search [search tstats count where index=* earliest=-5d by _time index|return 100 index ] after |tstatscommand, trying to restrict indexes range, but failed.
Is there any way to get rid of my turbid search? as http://postimg.org/image/a8w4tdtd3/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi can you mabe offer an example or a screenshot of what your results look like after the "--append today's events" step. So we can offer you a solution based on this result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, tom
Thank you. I have captured some screenshots.
This is what I want: http://postimg.org/image/a8w4tdtd3/
And this at first troubled me a lot: http://postimg.org/image/8dzj6i86x/
I think renjith just solved my problem, according to him, I replaced fieldformat with eval, all commas came back.
I append a subsearch earliest=-0d@d so that I can see current day's count. otherwise the earliest edit:latest day will be yesterday, cause summary search is not yet triggered today.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
