- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How many sources are there and what are the sizes ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to write a code where I should be able to count how many 'Sources' are there and the size/linecount of each sources.
This is what I have composed so far.
| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | stats dc(source) as distinct_sources
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (get's you all sources with their respective event count in your system for index=rambo):
| metadata type=sources where index=rambo
Or:
| tstats count where index=rambo by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@zacksoft ,
Can you please try following search?
| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw) | stats count sum(size) as size by source
You can also use metadata like following search for all source and count
| metadata type=sources | table source totalCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And in the second suggestion, | metadata type=sources | table source totalCount
It gives me all the sources of all the indexes. How do I make sure it only gives me data of index=rambo and 'source' that are of the format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" And no duplicate sources .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm applying the first suggestion.
In the visualization I'm trying column graph. How do I make sure that the source names come in X-axis and the Line Count shows in Y-axis?
Using the suggestion the visualization look weird.
Is it possible to get the top 20 sources with highest linecount?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PLease try this;
| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw) | stats count sum(size) as size by source | sort 20 count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (get's you all sources with their respective event count in your system for index=rambo):
| metadata type=sources where index=rambo
Or:
| tstats count where index=rambo by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| metadata type=sources where index=rambo
In the above command how do I put condition so that in only searches the sources that are of format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" . Currently it gives me all the sources from index rambo.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add a | search source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" at the end.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks .. This is exactly what I wanted.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
