count all events for 1 or multiple index(es)

Total count of all events for 1 or more index(es)

Approach 1 (fastest)

| eventcount index=foo

or

| eventcount index=foo index=bar

does *not* support time ranges in the time picker
tested on: splunk v6.6

Approach 2 (fast – especially when tsidx are *not* reduced)

| tstats count where index=foo OR index=bar by span=1d _time index

supports time ranges in the time picker
tested on: splunk v6.6

Approach 3 (slow – if tstats is not satisfying your requirements)

index=foo OR index=bar
| chart count(index) by index
| sort - count(index)
| rename count(index) as "Eventcount"

supports time ranges in the time picker and ofc earliest and latest fields in the query itself
tested on: splunk v6.6

Share This:
Tagged:

Leave A Comment?