Splunk count events

Splunk count events DEFAULT


Acrobat logo Download topic as PDF


Returns the number of events in the specified indexes.


The required syntax is in bold.

| eventcount

Required arguments


Optional arguments

Syntax: index=<string>
Description: A name of the index report on, or a wildcard matching many indexes to report on. You can specify this argument multiple times, for example .
Default: If no index is specified, the command returns information about the default index.
Syntax: list_vix=<bool>
Description: Specify whether or not to list virtual indexes. If , the command does not list virtual indexes.
Default: true
Syntax: report_size=<bool>
Description: Specify whether or not to report the index size. If , the command returns the index size in bytes.
Default: false
Syntax: summarize=<bool>
Description: Specifies whether or not to summarize events across all peers and indexes. If , the command splits the event counts by index and search peer.
Default: true


The command is a report-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Specifying a time range has no effect on the results returned by the command. All of the events on the indexes you specify are counted.

Specifying indexes

You cannot specify indexes to exclude from the results. For example, is not valid syntax.

You can specify the argument multiple times. For example:


Example 1:

Display a count of the events in the default indexes from all of the search peers. A single count is returned.

Example 2:

Return the number of events in only the internal default indexes. Include the index size, in bytes, in the results.

The results appear on the Statistics tab and should be similar to the results shown in the following table.

count index server size_bytes
52550 _audit buttercup-mbpr15.sv.splunk.com 7217152
1423010 _internal buttercup-mbpr15.sv.splunk.com 122138624
22626 _introspection buttercup-mbpr15.sv.splunk.com 98619392
10 _telemetry buttercup-mbpr15.sv.splunk.com 135168
0 _thefishbucket buttercup-mbpr15.sv.splunk.com 0

When you specify , the command returns three fields: , , and . When you specify , the command returns the field. The values in the size_bytes field are not the same as the index size on disk.

Example 3:

Return the event count for each index and server pair. Only the external indexes are returned.

This image shows four rows, one for each index and server combination. There are three columns: count, index, and server.

To return the count all of the indexes including the internal indexes, you must specify the internal indexes separately from the external indexes:

See also

metadata, fieldsummary

Last modified on 21 July, 2020

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »

Closing this box indicates that you accept our Cookie Policy.

Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.

Sours: https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Eventcount



Generates summary statistics from fields in your events and saves those statistics in a new field.

Only those events that have fields pertinent to the aggregation are used in generating the summary statistics. The generated summary statistics can be used for calculations in subsequent commands in your search. See Usage.


The required syntax is in bold.

<stats-agg-term> ...

Required arguments

Syntax: <stats-func>( <evaled-field> | <wc-field> ) [AS <wc-field>]
Description: A statistical aggregation function. See Stats function options. The function can be applied to an eval expression, or to a field or set of fields. Use the AS clause to place the result into a new field with a name that you specify. You can use wild card characters in field names.

Optional arguments

Syntax: allnum=<bool>
Description: If set to , computes numerical statistics on each field, if and only if ,all of the values of that field are numerical. If you have a BY clause, the argument applies to each group independently.
Default: false
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Stats function options

Syntax: The syntax depends on the function that you use. Refer to the table below.
Description: Statistical and charting functions that you can use with the command. Each time you invoke the command, you can use one or more functions. However, you can only use one clause. See Usage.
The following table lists the supported functions by type of function. Use the links in the table to see descriptions and examples for each function. For an overview about using functions with commands, see Statistical and charting functions.


The search processor uses a setting named to limit how much memory the command can use to keep track of information. When the limit is reached, the command processor stops adding the requested fields to the search results.

Do not set as this removes the bounds to the amount of memory the command processor can use. This can lead to search failures.


Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

If you have Splunk Cloud and want to change these limits, file a Support ticket.

Differences between eventstats and stats

The command is similar to the command. You can use both commands to generate aggregations like average, sum, and maximum.

The differences between these commands are described in the following table:

stats command eventstats command
Events are transformed into a table of aggregated search results Aggregations are placed into a new field that is added to each of the events in your output
You can only use the fields in your aggregated results in subsequent commands in the search You can use the fields in your events in subsequent commands in your search, because the events have not been transformed

How eventstats generates aggregations

The command looks for events that contain the field that you want to use to generate the aggregation. The command creates a new field in every event and places the aggregation in that field. The aggregation is added to every event, even events that were not used to generate the aggregation.

For example, you have 5 events and 3 of the events have the field you want to aggregate on. the command generates the aggregation based on the data in the 3 events. A new field is added to every event and the aggregation is added to that field in every event.

Statistical functions that are not applied to specific fields

With the exception of the function, when you pair the command with functions that are not applied to specific fields or expressions that resolve into fields, the search head processes it as if it were applied to a wildcard for all fields. In other words, when you have in a search, it returns results for .

This "implicit wildcard" syntax is officially deprecated, however. Make the wildcard explicit. Write when you want a function to apply to all possible fields.

Functions and memory usage

Some functions are inherently more expensive, from a memory standpoint, than other functions. For example, the function requires far more memory than the function. The and functions also can consume a lot of memory.

If you are using the function without a split-by field or with a low-cardinality split-by by field, consider replacing the function with the the function (estimated distinct count). The function might result in significantly lower memory usage and run times.

Event order functions

Using the and functions when searching based on time does not produce accurate results.

  • To locate the first value based on time order, use the function, instead of the function.
  • To locate the last value based on time order, use the function, instead of the function.

For example, consider the following search.

When you use the and commands for ordering events based on time, use the and functions.

The following search is the same as the previous search except the and functions are replaced with the and functions.

Basic examples

1. Calculate the overall average duration

This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.

Calculate the overall average duration of a set of transactions, and place the calculation in a new field called .

Because no BY clause is specified, a single aggregation is generated and added to every event in a new field called .

When you look at the list of Interesting Fields, you will see that has only one value.

This image shows the list of Interesting Fields in Splunk Web with the avgdur field highlighted. Only one value is listed

2. Calculate the average duration grouped by a specific field

This example is the same as the previous example except that an average is calculated for each distinct value of the field. The new field is added to each event with the average value based on its particular value of .

When you look at the list of Interesting Fields, you will see that has 79 values, based on the timestamp, duration, and date_minute values.

This image shows the list of Interesting Fields in Splunk Web with the avgdur field highlighted. There are 79 separate values.

3. Search for spikes in the volume of errors

This searches for spikes in error volume. You can use this search to trigger an alert if the count of errors is higher than average, for example.

Extended example

The following example provides you with a better understanding of how the command works. This example is actually a progressive set of small examples, where one example builds on or extends the previous example.

It's much easier to see what the command does by showing you examples, using a set of simple events.

These examples use the command to create a set of events. The and commands are used to create additional fields in the events.

Creating a set of events

Let's start by creating a set of four events. One of the events contains a null value in the field.

  • The command is used to create the field. The command calculates a cumulative count for each event, at the time the event is processed.
  • The command is used to create two new fields, and . The command uses the value in the count field.
  • The function takes pairs of arguments, such as . The first argument is a Boolean expression. When that expression is TRUE, the corresponding second argument is returned.

The results of the search look like this:

_time age city count
2020-02-05 18:32:07 25 San Francisco 1
2020-02-05 18:32:07 39 Seattle 2
2020-02-05 18:32:07 31 San Francisco 3
2020-02-05 18:32:07 Seattle 4

Using eventstats with a BY clause

The BY clause in the command is optional, but is used frequently with this command. The BY clause groups the generated statistics by the values in a field. You can use any of the statistical functions with the command to generate the statistics. See the Statistical and charting functions.

In this example, the command generates the average age for each city. The generated averages are placed into a new field called .

The following search is the same as the previous search, with the command added at the end:

  • For , the average age is 28 = (25 + 31) / 2.
  • For , there is only one event with a value. The average is 39 = 39 / 1. The command places that average in every event for Seattle, including events that did not contain a value for .

The results of the search look like this:

_time age avg(age) city count
2020-02-05 18:32:07 25 28 San Francisco 1
2020-02-05 18:32:07 39 39 Seattle 2
2020-02-05 18:32:07 31 28 San Francisco 3
2020-02-05 18:32:07 39 Seattle 4

Renaming the new field

By default, the name of the new field that is generated is the name of the statistical calculation. In these examples, that name is . You can rename the new field using the AS keyword.

In the following search, the command has been adjusted to rename the new field to .

The results of the search look like this:

_time age average age by city city count
2020-02-05 18:32:07 25 28 San Francisco 1
2020-02-05 18:32:07 39 39 Seattle 2
2020-02-05 18:32:07 31 28 San Francisco 3
2020-02-05 18:32:07 39 Seattle 4

Events with text values

The previous examples show how an event is processed that does not contain a value in the field. Let's see how events are processed that contain an alphabetic character value in the field that you want to use to generate statistics .

The following search includes the word as a value in the field.

The results of the search look like this:

_time age city count
2020-02-05 18:32:07 25 San Francisco 1
2020-02-05 18:32:07 39 Seattle 2
2020-02-05 18:32:07 31 San Francisco 3
2020-02-05 18:32:07 test Seattle 4

Let's add the command to the search.

The alphabetic values are treated like null values. The results of the search look like this:

_time age avg(age) city count
2020-02-05 18:32:07 25 28 San Francisco 1
2020-02-05 18:32:07 39 39 Seattle 2
2020-02-05 18:32:07 31 28 San Francisco 3
2020-02-05 18:32:07 test 39 Seattle 4

Using the allnum argument

But suppose you don't want statistics generated when there are alphabetic characters in the field or the field is empty?

The argument controls how the command processes field values. The default setting for the argument is FALSE. Which means that the field used to generate the statistics does not need to contain all numeric values. Fields with empty values or alphabetic character values are ignored. You've seen this in the earlier examples.

You can force the command to generate statistics only when the fields contain all numeric values. To accomplish this, you can set the argument to TRUE.

The results of the search look like this:

_time age avg(age) city count
2020-02-05 18:32:07 25 28 San Francisco 1
2020-02-05 18:32:07 39 Seattle 2
2020-02-05 18:32:07 31 28 San Francisco 3
2020-02-05 18:32:07 test Seattle 4

Because the field contains values for Seattle that are not all numbers, the entire set of values for Seattle are ignored. No average is calculated.

The argument applies to empty values as well as alphabetic character values.

See also

Search commands > stats, eventstats and streamstats
Sours: https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Eventstats
  1. Cute mug clipart
  2. Jbl club car speakers
  3. Life changing synonym
  4. Laney amps review
  5. Borderlands handsome jack face

I've been looking for ways to get fast results for inquiries about the number of events for:

  1. All indexes
  2. One index
  3. One sourcetype

And for #2 by sourcetype and for #3 by index.

Here are the ideas I've come up with, and I thought I'd share them, plus give a Splunk Answer that others can add to. If you have something clever in this general area (that's fast) please share it here.

Count of events for an index or across all of them with eventcount:

There is no way to restrict it to a particular sourcetype or source,
and the Time Picker has no effect on it -- It counts all events in
an index for all time.

Here is how to look at all the non-internal indexes:

Similar search with tstats:

This does respect the Time Picker, so if you do last 7 days you
get a count for each index, for each day.

This gives the count of events for one index, with Time Picker set to Week to date:

index _time count
winevent_dc_index 2019-02-03 7765708
winevent_dc_index 2019-02-04 9837331
winevent_dc_index 2019-02-05 10624149
winevent_dc_index 2019-02-06 10198089
winevent_dc_index 2019-02-07 5475228

But I hadn't been able to figure this out for a sourcetype-based search
until today. This works great on the main index, which has lots of sourcetypes:

Whereas this search provides the count for a particular sourcetype, by index, by day:

I finally decided that I'd like to see Events Per Second for all sourcetypes averaged over a given period. I'm using Last 7 days with this:

Here is a search that provides the EPS number per sourcetype over 7 days for all sourcetypes:

But, for something like syslog (which is so generic) this search is better because I can tell by index and host what the syslogs are:

Sours: https://community.splunk.com/t5/Splunk-Search/Fast-searches-for-a-count-of-events-in-various-ways/m-p/448605
Splunk Commands - Splunk stats - Splunk eventstats

Corero’s DDoS Analytics App for Splunk Enterprise leverages Splunk software for big data analytics and visualization capabilities that transform security event data into sophisticated dashboards. For those who use Splunk, this blog will explain some real-world, everyday uses of the application. As you read through the stats commands shown below, keep in mind that these commands are being done on created example data as actual Corero events are much more detailed.

How to Structure Splunk Data

When using Splunk, the key to showcasing your data or unearthing hidden correlations is understanding the stats command returned results, and molding those results to suit your needs. For example, Figure 1 below is a Splunk dashboard of some packet data. The data consists of 15 events. Depending on the how the stats command is used, different views of the same data can be visualized.


To simply count the events: stats count
This counts the events and gives a one row, one column answer of 15.

The stats command can count occurrences of a field in the events.
To count the events, count the events with a dip (destination IP) field, and count the events with a dprt (destination port) field: stats count count(dip) count(dprt)
Notice that the count(dprt) is one less, this is because one of the events does not have a dprt field (it is an ICMP packet). All the counts appear on the same row, this is important in future operations and when comparing data.

The stats command also allows counting by a field, when this is done a row is created for every distinct value of that field.
To count the number of events per dip: stats count by dip
There are four different IP addresses in the data set so four rows are created. If an event did not have a dip field, it would NOT be listed.

Multiple by fields can be used, each distinct combination will have a row. To count each dip and dprt combination: stats count by dip dprt
Notice that the dip only has two entries, where in the preceding example it had three. This is because one of the events was ICMP and has no dprt. Any event that doesn’t have ALL of the by fields will not be shown.

Both examples on the bottom row of the figure are breakdowns by prot (protocol) and show the same numerical results.

Count the events by protocol using a by field (creating a row for each distinct protocol):
stats count by prot | replace 1 with icmp, 6 with tcp, 17 with udp in prot
The replace command is just to ease comparison and is not needed

Count the events by protocol using conditional counting (creating a column for each distinct protocol listed):
stats count(eval(prot=1)) as icmp count(eval(prot=6)) as tcp count(eval(prot=17)) as udp

While both are “correct”, in some cases data needs to be manipulated with evals and other commands and this can only happen when the data is in the same row.

The second example uses a conditional count; by using an eval in the count, only certain events are counted. This conditional counting must also be accompanied by the “as” command to rename the field created, because all three cannot use the same field name of count. In this case the protocol name was used. While this has some benefits, the downside is that the protocols must be listed by hand, unlike when using the “by” field. By using the correct stats command, preparing your data for further analysis or viewing becomes a lot easier.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sours: https://www.corero.com/blog/using-the-stats-command-in-splunk-to-bend-data-to-your-will/

Events splunk count

He no longer understood how she caressed his hands, lips, tongue, everything was confused, bringing unearthly pleasure. Fireworks exploded in his brain, ran through his body, and came out in the lower abdomen, with strong jolts into her warm mouth. She got up, went to the window, watching the fiery flowers in the sky.

Splunk Commands - Splunk stats - Splunk eventstats

Take off your nasty wet T-shirt and shorts. Immediately throwing them off, I sat down, hugging you to me. I sat down cross-legged, and you hugged me with your legs and sat facing me. - Where are you cold.

You will also be interested:

Like a girl at 16 has a tight hole. and the ass is not touched at all in my opinion. "well, I'll have to try," I replied, she got closer to my legs and said take off the shorts, I started to pull. Off the shorts with swimming trunks, leave the swimming trunks, why did I think: it turned out that she was still so spoiled: She took him out of the swimming trunks a little and began to lick the head: ooooooo, how nice it is: I wanted this for 10 years and now it happened: I could not stand the swimming trunks and that's it my dignity fell into her hands: it is impossible to describe what surprise and delight was on her face: (well, not wine I am a god that nature has rewarded me like that).

980 981 982 983 984