Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How many sources are there and what are the sizes of each sources?

zacksoft
Contributor
‎06-07-2018 02:16 AM

I am trying to write a code where I should be able to count how many 'Sources' are there and the size/linecount of each sources.

This is what I have composed so far.

| index=rambo host=GA20htkram001  source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | stats dc(source) as distinct_sources
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-07-2018 02:44 AM

Try this (get's you all sources with their respective event count in your system for index=rambo):

| metadata type=sources where index=rambo

Or:

| tstats count where index=rambo by source

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2018 02:50 AM

@zacksoft ,

Can you please try following search?

| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw)  | stats count sum(size) as size  by source

You can also use metadata like following search for all source and count

| metadata type=sources | table source totalCount
Reply
Solved! Jump to solution

zacksoft
Contributor
‎06-07-2018 03:24 AM

And in the second suggestion, | metadata type=sources | table source totalCount
It gives me all the sources of all the indexes. How do I make sure it only gives me data of index=rambo and 'source' that are of the format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" And no duplicate sources .

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎06-07-2018 03:14 AM

I'm applying the first suggestion.
In the visualization I'm trying column graph. How do I make sure that the source names come in X-axis and the Line Count shows in Y-axis?
Using the suggestion the visualization look weird.
Is it possible to get the top 20 sources with highest linecount?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2018 03:27 AM

PLease try this;

 | index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" | eval size = len(_raw)  | stats count sum(size) as size  by source  | sort 20 count
0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-07-2018 02:44 AM

Try this (get's you all sources with their respective event count in your system for index=rambo):

| metadata type=sources where index=rambo

Or:

| tstats count where index=rambo by source
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎06-07-2018 03:30 AM

| metadata type=sources where index=rambo

In the above command how do I put condition so that in only searches the sources that are of format "/bsahare/bsassian/application-data/rambo/xml-data/builds/*" . Currently it gives me all the sources from index rambo.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎06-07-2018 03:36 AM

Just add a | search source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*" at the end.

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎06-07-2018 03:47 AM

Thanks .. This is exactly what I wanted.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...