Search Reference

 


eventcount

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

eventcount

Description

Returns the number of events in the specified indexes. The eventcount command is a generating command, and should be the first command in the pipeline.

Note: You cannot use this command over different time ranges.

Syntax

| eventcount [index=<string>]... [summarize=<bool>] [report_size=<bool>] [list_vix=<bool>]

Optional arguments

index
Syntax: index=<string>
Description: A name of the index report on, or a wildcard matching many indexes to report on. Can be specified multiple times, for example index=* index=_* If no index is specified, the command returns information about the default index.
list_vix
Syntax: list_vix=<bool>
Description:Specify whether or not to list virtual indexes. If list_vix=false, the command does not list virtual indexes.
Default: true
report_size
Syntax: report_size=<bool>
Description: Specify whether or not to report the index size. If report_size=true, the command returns the index size in bytes.
Default: false
summarize
Syntax: summarize=<bool>
Description: Specifies whether or not to summarize events across all peers and indexes. If summarize=false, the command splits the event counts by index and search peer.
Default: true

Examples

Example 1:

Displays event count in the default indexes over all search peers.

| eventcount

Example 2:

Return the number of events in the internal default indexes with the size.

| eventcount summarize=false index=_* report_size=true

Searchref eventcount ex1.2.png

Note: This size is not the same as the index size on disk.

Example 3:

Gives event count by each index/server pair.

| eventcount summarize=false index=*

Searchref eventcount ex1.1.png

If you want to search for the internal indexes, you have to specify them separately:

| eventcount summarize=false index=* index=_*

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventcount command.

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 , 5.0.12 , 5.0.13 , 5.0.14 , 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.0.9 , 6.0.10 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.1.8 , 6.1.9 , 6.2.0 , 6.2.1 , 6.2.2 , 6.2.3 , 6.2.4 , 6.2.5 View the Article History for its revisions.


Comments

Shaker ali: You cannot specify a timerange with eventcount.

Ckurtz: You can only specify indexes to include in your output, not indexes to exclude. "index!=foo" is not valid syntax. Also, you do not use boolean operators to specify multiple indexes with eventcount.

Sophy
March 16, 2015

Can we specify the time? Because I only get the all time stats, but when i specify the time it gives me the same number. | eventcount index=* is the search i'm using.

Shaker ali
January 7, 2015

Is it possible to filter this? index=* AND index!=foo doesn't work.

Ckurtz
October 17, 2014

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!