https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345311#M6583 <P>event per second</P> Tue, 08 Aug 2017 11:56:52 GMT 3no 2017-08-08T11:56:52Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345308#M6580 <P>one day. Some of my universal forwarder have some problems.It sends a lot of duplicate events,On the server, the nginx_access.log file has 20000 logs,But in the indexer, but has 15 million log,The same log even repeated tens of thousands of times.Finally, I think it is the reason why the UFis configured with the <CODE>useACK=true</CODE> parameter.This caused the entire network congestion phenomenon.</P> <P>So now I want to create an alert to monitor whether the UF repeatedly sends the log.</P> <P>In the beginning, I was index-based to determine whether the number of events in the previous hour was at least 5 times greater than or equal to the average,If it is equal to or greater than 5 times, I think the log growth rate is abnormal.But the index too much, I think this method is not perfect</P> <P><CODE>index=test earliest=-4h latest=now|stats count by sourcetype | eval avg=(count/4)|rename count as 4h|appendcols [search index=test earliest=-1h latest=now|stats count by sourcetype]|eval result=if(count/avg&gt;=5,"Incremental anomaly","OK")|where result!=OK|table 4h avg count result</CODE></P> <P>I think we should calculate the number of events received by the UF,For example: UF average number of events received is 20000, if the previous hour to receive the number is 1500000, I think the incident may be repeated. </P> <P>So the question: how do I count the number of each UF, how should I write a search statement?</P> Wed, 02 Aug 2017 12:34:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345308#M6580 xsstest 2017-08-02T12:34:57Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345309#M6581 <P>Is this what you're looking for ? </P> <PRE><CODE>index="_internal" source =/apps/splunkforwarder/var/log/splunk/metrics.log group=per_host_thruput | timechart span=4h avg(eps) by series </CODE></PRE> Wed, 02 Aug 2017 13:33:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345309#M6581 3no 2017-08-02T13:33:55Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345310#M6582 <P>what's is eps?</P> Tue, 08 Aug 2017 11:35:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345310#M6582 xsstest 2017-08-08T11:35:25Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345311#M6583 <P>event per second</P> Tue, 08 Aug 2017 11:56:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-I-count-the-number-of-receiving-events-per-univearsal/m-p/345311#M6583 3no 2017-08-08T11:56:52Z