eventcount
Description
Returns the number of events in the specified indexes.
Syntax
| eventcount [index=<string>]... [summarize=<bool>] [report_size=<bool>] [list_vix=<bool>]
Required arguments
None.
Optional arguments
- index
- Syntax: index=<string>
- Description: A name of the index report on, or a wildcard matching many indexes to report on. You can specify this argument multiple times, for example
index=* index=_*
. - Default: If no index is specified, the command returns information about the default index.
- list_vix
- Syntax: list_vix=<bool>
- Description: Specify whether or not to list virtual indexes. If
list_vix=false
, the command does not list virtual indexes. - Default: true
- report_size
- Syntax: report_size=<bool>
- Description: Specify whether or not to report the index size. If
report_size=true
, the command returns the index size in bytes. - Default: false
- summarize
- Syntax: summarize=<bool>
- Description: Specifies whether or not to summarize events across all peers and indexes. If
summarize=false
, the command splits the event counts by index and search peer. - Default: true
Usage
The eventcount
command is a report-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
Specifying a time range has no effect on the results returned by the eventcount
command. All of the events on the indexes you specify are counted.
Specifying indexes
You cannot specify indexes to exclude from the results. For example, index!=foo
is not valid syntax.
You can specify the index
argument multiple times. For example:
|eventcount summarize=false index=_audit index=main
Examples
1. Calculate the total number of events in the default indexes
Display a count of the events in the default indexes from all of the search peers. A single count is returned.
| eventcount
2. Return the number of events in the internal default indexes
Return the number of events in only the internal default indexes. Include the index size, in bytes, in the results.
| eventcount summarize=false index=_* report_size=true
The results appear on the Statistics tab and look something like this:
count | index | server | size_bytes |
---|---|---|---|
209974 | _audit | buttercup-mbpr15.sv.splunk.com | 26058752 |
3058012 | _internal | buttercup-mbpr15.sv.splunk.com | 318246912 |
39993 | _introspection | buttercup-mbpr15.sv.splunk.com | 163684352 |
30 | _telemetry | buttercup-mbpr15.sv.splunk.com | 372736 |
0 | _thefishbucket | buttercup-mbpr15.sv.splunk.com | 0 |
- When you specify
summarize=false
, the command returns three fields:count
,index
, andserver
. - When you specify
report_size=true
, the command returns thesize_bytes
field. - The values in the size_bytes field are not the same as the index size on disk.
3. Return the number of events in each external index
Return the event count for each index and server pair. Only the external indexes are returned.
| eventcount summarize=false index=*
The results appear on the Statistics tab and look something like this:
count | index | server |
---|---|---|
112421 | cisco-esa | buttercup-mbpr15.sv.splunk.com |
0 | history | buttercup-mbpr15.sv.splunk.com |
3453666 | main | buttercup-mbpr15.sv.splunk.com |
0 | summary | buttercup-mbpr15.sv.splunk.com |
4. Return the number of events in all internal and external indexes
To return the count all of the indexes including the internal indexes, you must specify the internal indexes separately from the external indexes.
| eventcount summarize=false index=* index=_*
count | index | server |
---|---|---|
210370 | _audit | buttercup-mbpr15.sv.splunk.com |
3063410 | _internal | buttercup-mbpr15.sv.splunk.com |
40144 | _introspection | buttercup-mbpr15.sv.splunk.com |
30 | _telemetry | buttercup-mbpr15.sv.splunk.com |
0 | _thefishbucket | buttercup-mbpr15.sv.splunk.com |
112421 | cisco-esa | buttercup-mbpr15.sv.splunk.com |
0 | history | buttercup-mbpr15.sv.splunk.com |
3453666 | main | buttercup-mbpr15.sv.splunk.com |
0 | summary | buttercup-mbpr15.sv.splunk.com |
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventcount command.
eval | eventstats |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!