Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

eventcount

Description

Returns the number of events in the specified indexes.

Syntax

| eventcount [index=<string>]... [summarize=<bool>] [report_size=<bool>] [list_vix=<bool>]

Required arguments

None.

Optional arguments

index
Syntax: index=<string>
Description: A name of the index report on, or a wildcard matching many indexes to report on. You can specify this argument multiple times, for example index=* index=_*.
Default: If no index is specified, the command returns information about the default index.
list_vix
Syntax: list_vix=<bool>
Description: Specify whether or not to list virtual indexes. If list_vix=false, the command does not list virtual indexes.
Default: true
report_size
Syntax: report_size=<bool>
Description: Specify whether or not to report the index size. If report_size=true, the command returns the index size in bytes.
Default: false
summarize
Syntax: summarize=<bool>
Description: Specifies whether or not to summarize events across all peers and indexes. If summarize=false, the command splits the event counts by index and search peer.
Default: true

Usage

The eventcount command is a report-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Specifying a time range has no effect on the results returned by the eventcount command. All of the events on the indexes you specify are counted.

Specifying indexes

You cannot specify indexes to exclude from the results. For example, index!=foo is not valid syntax.

You can specify the index argument multiple times. For example:

|eventcount summarize=false index=_audit index=main

Examples

1. Calculate the total number of events in the default indexes

Display a count of the events in the default indexes from all of the search peers. A single count is returned.

| eventcount

2. Return the number of events in the internal default indexes

Return the number of events in only the internal default indexes. Include the index size, in bytes, in the results.

| eventcount summarize=false index=_* report_size=true

The results appear on the Statistics tab and look something like this:

count index server size_bytes
209974 _audit buttercup-mbpr15.sv.splunk.com 26058752
3058012 _internal buttercup-mbpr15.sv.splunk.com 318246912
39993 _introspection buttercup-mbpr15.sv.splunk.com 163684352
30 _telemetry buttercup-mbpr15.sv.splunk.com 372736
0 _thefishbucket buttercup-mbpr15.sv.splunk.com 0
  • When you specify summarize=false, the command returns three fields: count, index, and server.
  • When you specify report_size=true, the command returns the size_bytes field.
  • The values in the size_bytes field are not the same as the index size on disk.

3. Return the number of events in each external index

Return the event count for each index and server pair. Only the external indexes are returned.

| eventcount summarize=false index=*

The results appear on the Statistics tab and look something like this:

count index server
112421 cisco-esa buttercup-mbpr15.sv.splunk.com
0 history buttercup-mbpr15.sv.splunk.com
3453666 main buttercup-mbpr15.sv.splunk.com
0 summary buttercup-mbpr15.sv.splunk.com

4. Return the number of events in all internal and external indexes

To return the count all of the indexes including the internal indexes, you must specify the internal indexes separately from the external indexes.

| eventcount summarize=false index=* index=_*

count index server
210370 _audit buttercup-mbpr15.sv.splunk.com
3063410 _internal buttercup-mbpr15.sv.splunk.com
40144 _introspection buttercup-mbpr15.sv.splunk.com
30 _telemetry buttercup-mbpr15.sv.splunk.com
0 _thefishbucket buttercup-mbpr15.sv.splunk.com
112421 cisco-esa buttercup-mbpr15.sv.splunk.com
0 history buttercup-mbpr15.sv.splunk.com
3453666 main buttercup-mbpr15.sv.splunk.com
0 summary buttercup-mbpr15.sv.splunk.com

See also

metadata, fieldsummary

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventcount command.

Last modified on 06 August, 2019
PREVIOUS
eval
  NEXT
eventstats

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters