https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487724#M16914 <P>Update: I added a related video.</P> Mon, 09 Dec 2019 17:33:18 GMT sloshburch 2019-12-09T17:33:18Z https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487722#M16912 <P>Does anyone have examples of how to use Splunk to monitor log volume trends?</P> Wed, 20 Nov 2019 16:37:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487722#M16912 sloshburch 2019-11-20T16:37:00Z https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487723#M16913 <H2><EM>The Splunk Product Best Practices team helped produce this response. Read more about use case examples <A href="https://docs.splunk.com/Documentation/UseCases">Splunk® Platform Use Cases</A> on Splunk Docs.</EM></H2> <P>This use case enables analysts and application developers to monitor trends in the number of events being logged by an application, which can indicate the state of your application and/or changes in behavior of your code or environment.</P> <P>This use case is from the Splunk Essentials for Infrastructure Troubleshooting and Monitoring app. For more examples, see the <A href="https://splunkbase.splunk.com/app/4091">Splunk Essentials for Infrastructure Troubleshooting and Monitoring</A> on Splunkbase.</P> <P><A href="https://www.youtube.com/watch?v=NznAkrI2IO8&amp;list=PL7zWAA-DF0k98jw_Hseh7JyQ74fq8AxYT" target="_blank"><IMG alt="Log Volume Trending" src="https://i.ytimg.com/vi/NznAkrI2IO8/hqdefault.jpg" /></A></P> <H1>Load data</H1> <P><STRONG>How to implement:</STRONG> Ingest application, operating system, microservices, virtualization, and/or network logs into Splunk Enterprise. Summarize the event count over time using the <CODE>timechart</CODE> command. Leverage any fields that provide useful split by fields present in your logs, such as host, response code, or log level.</P> <P><STRONG>Data check:</STRONG> This use case depends on application, operating system, microservices, virtualization, or network logs. For best results, add the desired sources, source types, hosts, or indexes to the first line of the base search.</P> <H1>Get insights</H1> <P>Baseline and analyze log volume trends in your applications to monitor their relative health using the <CODE>timechart</CODE> command and <CODE>split by</CODE> fields present in your logs, such as host, response code, or log level. Analysts and application developers can inve</P> <P>Use the following search:<BR /> <PRE>index=*<BR /> | timechart limit=0 partial=false span=1m count BY host</PRE></P> <P><STRONG>Best practice:</STRONG> In searches, replace the asterisk in <CODE>index=*</CODE> with the name of the <A href="https://docs.splunk.com/Splexicon:Index">index</A> that contains the data. By default, Splunk stores data in the <CODE>main</CODE> index. Therefore, <CODE>index=*</CODE> becomes <CODE>index=main</CODE>. Use the <CODE>OR</CODE> operator to <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Searchindexes#Specify_one_or_multiple_indexes_to_search">specify one or multiple indexes to search</A>. For example, <CODE>index=main OR index=security</CODE>. See <A href="https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutmanagingindexes">About managing indexes</A> and <A href="https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howindexingworks">How indexing works</A> in Splunk docs for details.</P> <H1>Help</H1> <P>If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See <A href="https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons">About installing Splunk add-ons</A> on Splunk Docs for assistance.</P> <P>For more support, <A href="https://answers.splunk.com/answers/ask.html?topics=usecase">post a question to the Splunk Answers community</A>.</P> Wed, 20 Nov 2019 16:37:36 GMT https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487723#M16913 sloshburch 2019-11-20T16:37:36Z https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487724#M16914 <P>Update: I added a related video.</P> Mon, 09 Dec 2019 17:33:18 GMT https://community.splunk.com/t5/Deployment-Architecture/Example-of-how-to-monitor-log-volume-trends/m-p/487724#M16914 sloshburch 2019-12-09T17:33:18Z