Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

find total unique sources over the last 30 days?

mfrost8
Builder
‎06-24-2010 07:51 PM

I have what I think should be a simple search, but I'm not quite able to come up with a way to do it. Ultimately I guess this is simply summing the total sources per host.

I'm trying to count the number of unique sources Splunk has used over the last, say 30 days. when I say unique sources, I mean that it would count

host1: /a/b/c, /d/e/f host2: /a/b/c, /d/e/f host3: /a/b/c, /d/e/f

as 6 separate sources even though the actual source name is the same. I had tried looking at the total sources in "metadata" but that looks at more sources than I'm looking for.

I don't need a breakdown by host, or a listing of the sources -- just a total count.

It seems like I'd want to somehow combine the hostname and the source name into one text field and then count the number of unique instances of that?

Thanks very much.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-24-2010 10:05 PM

the metadata command does list the more recent time that data was written to the source, so you could just filter on that, except that it doesn't split out by host. The only way to do what you want unfortunately (and it's slow) is something like:

* | stats count by host,source | stats count

If you need to query this a lot, you should build a (daily or hourly) summary index of * | sistats count by host,source and query stats count out of that.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-24-2010 10:05 PM

the metadata command does list the more recent time that data was written to the source, so you could just filter on that, except that it doesn't split out by host. The only way to do what you want unfortunately (and it's slow) is something like:

* | stats count by host,source | stats count

If you need to query this a lot, you should build a (daily or hourly) summary index of * | sistats count by host,source and query stats count out of that.

Reply
Solved! Jump to solution

mfrost8
Builder
‎06-25-2010 01:44 PM

This isn't something I need to run regularly so I can handle the long-running search. Thanks very much for the response!

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-24-2010 10:58 PM

This is another place where it would be nice search just the index without actually incurring the overhead of loading the raw data for each event. But for now, I'd suggest making sure that the event typer and lookups are disabled when creating a saved search for this. (Splunk should be able to disable a bunch of field extractions too, hopefully.)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...