Splunk Search

How to find out how many logs an index gets in a 24-hour period?

DDewarSplunk
New Member

Afternoon Splunk Gurus

I wonder if you would be as kind to help \ point me in the right direction ?
I'm new to Splunk and still getting used to extracting data, I'm looking to find out how to get the total number of logs which go to an index in a set time period ? (24 hours)

Or even how to get all the Indexes currently in Splunk and log source and number of logs in last 24hours.

Many thanks for any help provided.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi DDewarSplunk.
for one index, try:

index=your_index earliest=-24h@h latest=now
| stats count

If you have more indexes, try:

index=* earliest=-24h@h latest=now
| stats count by index

Bye.
Giuseppe

View solution in original post

0 Karma

Stophs
Engager
| tstats count where index=* by index

Super late to the party, but this query will get it done for everythign but internals at a fraction of the time. 

sbbadri
Motivator

@DDewarSplunk

Please install below app from splunk base. It will give you overall idea about your host, index and sourcetype,

https://splunkbase.splunk.com/app/2949/

If above app is not working out, please try with below query,

| tstats count as Total where index=* host=* sourcetype=* by index source sourcetype

or

index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5

DDewarSplunk
New Member

Thanks Giuseppe that's great,

I've been adding a dedup etc and can better understanding how to query.

Can I ask about the | stats count by index
Is this counting "Events" or actual log files sent up to Index ?

I need to see how many log files are sent up, maybe its one in the same thing.

Thanks again

D

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi DDewarSplunk.
for one index, try:

index=your_index earliest=-24h@h latest=now
| stats count

If you have more indexes, try:

index=* earliest=-24h@h latest=now
| stats count by index

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi DDewarSplunk.
beware: if you use dedup command you haven't the real total count of events sent to Indexes!

Anyway stats count by index gives you the number of events for each index, if you want the number of sources, you have to use
stats dc(sources) as sources by index
you can also display both the information:

index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index

Bye.
Giuseppe

P.S.: if this answer is good for you, please remember to accept or upvote it

0 Karma

DDewarSplunk
New Member

Many Thanks G

D

0 Karma

DDewarSplunk
New Member

Thanks Giuseppe I appreciate your time with this.

I am running this and it shows me the total "events" (Huge number)

| eventcount index=* earliest=-24h@h latest=now summarize=false
| dedup index
| sort count desc

If I run your latest then I get an error :-Error in 'stats' command: The argument 'stats' is invalid.

Any ideas ? 😞

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi DDewarSplunk.
you don't need to use eventcount, in addition if you have dedup index count will always be 1.

What do you want to display the number of events for each index? the number of sources?

If you want the total events, you can use addcoltotals

index=* earliest=-24h@h latest=now
| stats count stats dc(sources) as sources by index
| addcoltotals labelfield=index

See Distributed Monitoring Console

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...