Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

eventcount

Description

Returns the number of events in the specified indexes.

Syntax

| eventcount [index=<string>]... [summarize=<bool>] [report_size=<bool>] [list_vix=<bool>]

Required arguments

None.

Optional arguments

index
Syntax: index=<string>
Description: A name of the index report on, or a wildcard matching many indexes to report on. You can specify this argument multiple times, for example index=* index=_*.
Default: If no index is specified, the command returns information about the default index.
list_vix
Syntax: list_vix=<bool>
Description: Specify whether or not to list virtual indexes. If list_vix=false, the command does not list virtual indexes.
Default: true
report_size
Syntax: report_size=<bool>
Description: Specify whether or not to report the index size. If report_size=true, the command returns the index size in bytes.
Default: false
summarize
Syntax: summarize=<bool>
Description: Specifies whether or not to summarize events across all peers and indexes. If summarize=false, the command splits the event counts by index and search peer.
Default: true

Usage

The eventcount command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Specifying a time range has no effect on the results returned by the eventcount command. All of the events on the indexes you specify are counted.

You cannot specify indexes to exclude from the results. For example, index!=foo is not valid syntax.

You can specify the index argument multiple times. For example:

|eventcount summarize=false index=_audit index=main

Examples

1. Calculate the total number of events in the default indexes

Display a count of the events in the default indexes from all of the search peers. A single count is returned.

| eventcount

2. Return the number of events in the internal default indexes

Return the number of events in only the internal default indexes. Include the index size, in bytes, in the results.

| eventcount summarize=false index=_* report_size=true

The results appear on the Statistics tab and look something like this:

count index server size_bytes
209974 _audit buttercup-mbpr15.sv.splunk.com 26058752
3058012 _internal buttercup-mbpr15.sv.splunk.com 318246912
39993 _introspection buttercup-mbpr15.sv.splunk.com 163684352
30 _telemetry buttercup-mbpr15.sv.splunk.com 372736
0 _thefishbucket buttercup-mbpr15.sv.splunk.com 0
  • When you specify summarize=false, the command returns three fields: count, index, and server.
  • When you specify report_size=true, the command returns the size_bytes field.
  • The values in the size_bytes field are not the same as the index size on disk.

3. Return the number of events in each external index

Return the event count for each index and server pair. Only the external indexes are returned.

| eventcount summarize=false index=*

The results appear on the Statistics tab and look something like this:

count index server
112421 cisco-esa buttercup-mbpr15.sv.splunk.com
0 history buttercup-mbpr15.sv.splunk.com
3453666 main buttercup-mbpr15.sv.splunk.com
0 summary buttercup-mbpr15.sv.splunk.com

4. Return the number of events in all internal and external indexes

To return the count all of the indexes including the internal indexes, you must specify the internal indexes separately from the external indexes.

| eventcount summarize=false index=* index=_*

count index server
210370 _audit buttercup-mbpr15.sv.splunk.com
3063410 _internal buttercup-mbpr15.sv.splunk.com
40144 _introspection buttercup-mbpr15.sv.splunk.com
30 _telemetry buttercup-mbpr15.sv.splunk.com
0 _thefishbucket buttercup-mbpr15.sv.splunk.com
112421 cisco-esa buttercup-mbpr15.sv.splunk.com
0 history buttercup-mbpr15.sv.splunk.com
3453666 main buttercup-mbpr15.sv.splunk.com
0 summary buttercup-mbpr15.sv.splunk.com

See also

metadata, fieldsummary

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventcount command.

PREVIOUS
eval
  NEXT
eventstats

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.10, 6.2.11, 6.2.13, 6.0.12, 4.3.1, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 6.2.14, 6.2.2


Comments

Woodcock
Thank you for pointing out the missing See also section. I have added that section and improved the information in the Usage section as well.

Lstewart splunk, Splunker
December 5, 2017

The "See Also" section is missing and it should include (at least) "metadata" and "fieldsummary".

Woodcock
December 4, 2017

Shaker ali: You cannot specify a timerange with eventcount.

Ckurtz: You can only specify indexes to include in your output, not indexes to exclude. "index!=foo" is not valid syntax. Also, you do not use boolean operators to specify multiple indexes with eventcount.

Sophy
March 16, 2015

Can we specify the time? Because I only get the all time stats, but when i specify the time it gives me the same number. | eventcount index=* is the search i'm using.

Shaker ali
January 7, 2015

Is it possible to filter this? index=* AND index!=foo doesn't work.

Ckurtz
October 17, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters