I'm using this query right now:
stats count by host, source, date_mday
It only lists Linux hosts but lists the data exactly as I need. We've got a bunch of Windows boxes and I'm not sure exactly why the filtering is happening. I'm guessing because of date_ mday. The reason I'm using date_ mday is because I want to break down the count of log data by host and by source so that I can make sure I'm collecting everything as expected. Should I be using something based off _time? Is there a better way to get the summary I'm looking for?
I'm guessing this is something fairly simple, but I'm pretty new to splunk.
date_mday is created by Splunk, based on the time. This field exists for all events, regardless of source.
What you are showing is just the command part of a search string. Can you show the entire search string?
In the meantime, are any other queries working? When you login to Splunk, do you see any Windows data on the Summary page? Is the Windows data perhaps in a different index?
Weird. Well, try this:
splunk_server="SERVERNAME" |
eval date_mday = tonumber(strftime(_time,"%d")) |
stats count by host source date_mday
When I use the same search string without date_mday, the Windows sources show up as I'd expect.
The only other detail is that I'm limiting my search to a specific splunk server to limit the scope of my search:
splunk_server="SERVERNAME" | stats count by host, source, date_mday
I did set a date restriction (2012-02-01 00:00:00 to now). I'm not aware of any other input I might be excluding, as this is all I'm specifying in splunk.