Splunk search for Count of events by Index
Copy
| tstats count where index=* by span=1d _time index | fields - _time | sort - count
This search will yield a count of all events separated by index. Because this search utilizes the tstats command it can be run over a large timespan and will run very quickly
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment