Return the event count for each index and server pair. The values in the size_bytes field are not the same as the index size on disk. When you specify report_size=true, the command returns the size_bytes field. When you specify summarize=false, the command returns three fields: count, index, and server. The results appear on the Statistics tab and should be similar to the results shown in the following table. | eventcount summarize=false index=_* report_size=true Include the index size, in bytes, in the results. Return the number of events in only the internal default indexes. As a result, the search may return inaccurate event counts.ĭisplay a count of the events in the default indexes from all of the search peers. When a search runs, the eventcount command checks all buckets, including replicated and primary buckets, across all indexers in a cluster. |eventcount summarize=false index=_audit index=main Running in clustered environmentsĭo not use the eventcount command to count events for comparison in indexer clustered environments. I tried using a transaction with the same start- and stop- condition: transaction stream startswithMarker endswithMarker. You can specify the index argument multiple times. For example, consider streams of events coming from different stream s: stream1: Marker stream2: Marker stream1: Marker stream3: Marker stream3: Marker stream2: Marker. For example, index!=foo is not valid syntax. You cannot specify indexes to exclude from the results. All of the events on the indexes you specify are counted. Specifying a time range has no effect on the results returned by the eventcount command. Generating commands use a leading pipe character and should be the first command in a search. In this example, the HTTP request event, the HTTP response event, and the log messages are all part of the same web request transaction. The eventcount command is a report-generating command. (here im assuming the source of dc events is called dc) In Splunk 4.1 transactions support field unification with multi-valued fields, so you can accomplish your goal by having a multivalued field (e.g. If summarize=false, the command splits the event counts by index and search peer. Default: false summarize Syntax: summarize= Description: Specifies whether or not to summarize events across all peers and indexes. If report_size=true, the command returns the index size in bytes. Default: true report_size Syntax: report_size= Description: Specify whether or not to report the index size. If list_vix=false, the command does not list virtual indexes. list_vix Syntax: list_vix= Description: Specify whether or not to list virtual indexes. Default: If no index is specified, the command returns information about the default index. You can specify this argument multiple times, for example index=* index=_*. Optional arguments index Syntax: index= Description: A name of the index report on, or a wildcard matching many indexes to report on. Returns the number of events in the specified indexes. A transaction is any group of conceptually-related events that spans time, such as a series of events related to the online reservation of a hotel room by a single customer, or a set of events related to a firewall intrusion incident.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |