Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reporting total scanned events in emailed search results

Akita881
New Member
‎11-20-2012 03:20 PM

After running a search the display above the time bar will show X amount of matching events, indicating the number of events scanned through to produce the results. I would like to include that number in the output of the search, which I have emailed to me. Currently the email only contains the table of results, without the total events scanned. Any help would be appreciated.

Tags (1)
0 Karma
Reply

kplatte
New Member
‎01-09-2017 01:43 PM

The information you are looking for are search parameters; searchCount and resultCount. A complete description is located under Search properties:
gives the complete number of events scanned and resultCount gives the number that met your search parameters.

0 Karma
Reply

mmacvicar_splun
Splunk Employee
Splunk Employee
‎06-20-2017 03:11 PM

@kplatte you are referring to the job inspector http://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector values scanCount and resultCount.

Per this question https://answers.splunk.com/answers/488913/which-search-commands-allow-you-to-display-search.html it requires some effort to get those results in a query.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 03:29 AM

Could you post the query used to create the table? It's probably possible to mesh my crude way in there somewhere to do the counting before the charting.

0 Karma
Reply

Akita881
New Member
‎11-21-2012 03:18 AM

I appreciate the response. Thanks. However I was not clear in my original posting. Above the timeline bar graph I will see, for example, 87,556 events scanned and my output table may only have 3 rows. I would like to have the 87,556 events scanned appear in mu output table somewhere. Thanks.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-21-2012 12:12 AM

A crude way would be to sum up a field containing 1:

... | eval eventcount=1 | addcoltotals eventcount

That's assuming the number of table rows equals the number of events scanned.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...