SPL
count all events for 1 or multiple index(es)
Description
Total count of all events for 1 or more index(es)
Approach 1 (fastest)
6 1
| eventcount index=fooor
| eventcount index=foo index=bardoes *not* support time ranges in the time picker tested on: splunk v6.6
Approach 2 (fast - especially when tsidx are *not* reduced)
| tstats count where index=foo OR index=bar by span=1d _time indexsupports time ranges in the time picker tested on: splunk v6.6
Approach 3 (slow - if tstats is not satisfying your requirements)
index=foo OR index=bar | chart count(index) by index | sort - count(index) | rename count(index) as "Eventcount"supports time ranges in the time picker and ofc earliest and latest fields in the query itself tested on: splunk v6.6
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.