Splunk Cloud Platform

Search Reference

eventcount

Description

Returns the number of events in specified indexes.

Syntax

The required syntax is in bold.

| eventcount
[index=<string>]...
[summarize=<bool>]
[report_size=<bool>]
[list_federated_remote=<bool>]
[list_vix=<bool>]

Required arguments

None.

Optional arguments

index
Syntax: index=<string>
Description: The name of an index to report on, or a wildcard matching a set of indexes to report on. You can specify this argument multiple times to specify multiple indexes or groups of indexes, like this: index=* index=_*.
Default: If no index is specified, eventcount returns information about the default index.
list_federated_remote
Syntax: list_federated_remote=<bool>
Description: Specify whether to return event counts from specified indexes on any federated providers to which your Splunk platform deployment is connected for the purpose of running federated searches over remote Splunk platform deployments. If list_federated_remote=false, eventcount returns event counts only from your local Splunk platform deployment. See Usage.
Default: false
list_vix
Syntax: list_vix=<bool>
Description: Specify whether to list virtual indexes. If list_vix=false, the command does not list virtual indexes.
Default: true
report_size
Syntax: report_size=<bool>
Description: Specify whether to report the index size. If report_size=true, the command returns the index size in bytes.
Default: false
summarize
Syntax: summarize=<bool>
Description: Specifies whether or not to summarize events across all indexes, providers, and search peers (servers). If summarize=false, the command splits the event counts by index, and additionally provides the provider and server values that correspond to each index.
Default: true

Usage

The eventcount command is a report-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Specifying a time range has no effect on the results returned by the eventcount command. All of the events on the indexes you specify are counted.

Specifying indexes

You cannot specify indexes to exclude from the results. For example, index!=foo is not valid syntax.

You can specify the index argument multiple times. For example:

|eventcount summarize=false index=_audit index=main

See event counts for indexes on remote Splunk platform deployments

If you use Federated Search for Splunk, you can find the count of events in specified indexes on your federated providers by running eventcount with summarize=false and list_federated_remote=true.

When you set summarize=false and list_federated_remote=true, eventcount can return event counts for specified remote indexes on federated providers to which your Splunk platform deployment is connected. The provider column identifies the federated providers that each specified remote index is associated with.

Indexes that are present on your local Splunk platform deployment have a platform value of local. Your local Splunk platform deployment is the Splunk platform deployment from which you run searches.

If you set summarize=false and do not set list_federated_remote or set list_federated_remote=false, eventcount returns event counts only for indexes on your local Splunk platform deployment.

See About Federated Search for Splunk, in Federated Search.

Running in clustered environments

Do not use the eventcount command to count events for comparison in indexer clustered environments. When a search runs, the eventcount command checks all buckets, including replicated and primary buckets, across all indexers in a cluster. As a result, the search may return inaccurate event counts.

Examples

Example 1:

Display a count of the events in the default indexes from all of the search peers. A single count is returned.

| eventcount

Example 2:

Return the number of events in only the internal default indexes. Display the corresponding providers and servers. Include the index size, in bytes, in the results.

| eventcount summarize=false index=_* report_size=true

The results appear on the Statistics tab and will be similar to the results shown in the following table.

count index provider server size_bytes
52550 _audit local buttercup-mbpr15.sv.splunk.com 7217152
1423010 _internal local buttercup-mbpr15.sv.splunk.com 122138624
22626 _introspection local buttercup-mbpr15.sv.splunk.com 98619392
10 _telemetry local buttercup-mbpr15.sv.splunk.com 135168
0 _thefishbucket local buttercup-mbpr15.sv.splunk.com 0

When you specify summarize=false, the command returns four fields: count, index, provider, and server.

When you specify report_size=true, the command returns the size_bytes field. The values in the size_bytes field are not the same as the index size on disk.

Example 3:

For each specified index, return an event count and its corresponding provider and server values. Filter internal indexes out of the result set.

| eventcount summarize=false index=*

The results appear on the Statistics tab and will be similar to the results shown in the following table.

count index provider server
0 history local sting-mba13.sv.splunk.com
109864 main local sting-mba13.sv.splunk.com
0 summary local sting-mba13.sv.splunk.com
6906 usgs_earthquake local sting-mba13.sv.splunk.com

To return the count all of the indexes including the internal indexes, you must specify the internal indexes separately from the external indexes:

| eventcount summarize=false index=* index=_*

Example 4:

Return event counts for the internal indexes in your local Splunk platform deployment and the internal indexes in the remote Splunk platform deployment that is connected to your Splunk deployment as a standard mode federated provider. Filter out indexes that are not internal.

|eventcount summarize=f list_federated_remote=t index=access_* index=federated:access_*

Because this search runs over a standard mode federated provider, you use the federated: syntax to specify the indexes on the federated provider.

The results appear on the Statistics tab and will be similar to the results shown in the following table.

count index provider server
5015002 access_combined local sting-mba13.sv.splunk.com
4994000 access_combined remote01 buttercup-mbpr15.sv.splunk.com
4921285 access_combined_wcookie local sting-mba13.sv.splunk.com
4741874 access_combined_wcookie remote01 buttercup-mbpr15.sv.splunk.com

The search returns event counts for two access_combined indexes and two access_combined_wcookie indexes, but they are not duplicates. Your local Splunk platform deployment has indexes that share names with indexes on its remote federated provider, which is expected.

See Run federated searches over remote Splunk platform deployments, in Federated Search.

See also

metadata, fieldsummary

Last modified on 06 August, 2024
eval   eventstats

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters