topic Re: splunk in Monitoring Splunk

How find amount not ingested?

sverdhan — Mon, 23 Sep 2024 14:49:04 GMT

i have used the below query to get a list of 25 sourcetypes who are not reporting for the last 30 days ...but i need to know the volume of data ingested by them...kindly suggest any ideas or any alternative methods:

Re: splunk

gcusello — Mon, 23 Sep 2024 12:36:05 GMT

Hi @sverdhan ,

sorry but your requirement isn't so clear:

if a sourcetype didn't reported in the last 30 days, how can you calculate their volume? it's always 0 in the last 30 days.

Maybe you want the logs in the last 6 months, calculating their total volume highlighting if they aren't sending logs from 30 days.

in this case, you can apply a solution like the one you shared.

Anyway, to calculate volume you have two solution:

a more performant (but less precise) solution that uses a medium value (e.g. 1k) for each event.

the calculation of volume using the search from license consuming:

if the sourcetypes to monitor ar in a lookup called perimeter.csv:

| tstats count latest(_time) AS lastTime where index=* [| inputlookup perimeter.csv | fields sourcetype ] earliest=-180d latest=now BY host | eval period=if lastTime>now()-86400*30,"Latest","Previous") | stats sum(count) AS count dc(period) As period_count values(period) AS period BY host | eval status=case(period_count=2,"Always present",period="Latest","Only last Month",period="Previous","Only Previous") | eval volume=count*1/1024/1024 | table host status volume

if instead you want a more detailed solutions but very less performant, you could try:

index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" [| tstats count latest(_time) AS lastTime where index=* [| inputlookup perimeter.csv | fields sourcetype ] earliest=-180d latest=now BY host | fields host ] | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | fields - _timediff | foreach "*" [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

Re: splunk

sverdhan — Mon, 23 Sep 2024 13:40:22 GMT

thank you for your reply , can you suggest any method apart from the lookup one?

Re: splunk

ITWhisperer — Mon, 23 Sep 2024 14:03:42 GMT

Instead of inputlookup, you could use your metadata search to retrieve the sourcetype names. Obviously, this will only include the sourcetypes for which there have been events, and not for all configured sourcetypes.

Re: splunk

sverdhan — Mon, 23 Sep 2024 14:26:59 GMT

Thank you , Do you have a general query to calculate the volume ingested for any sourcetype in general?

Re: splunk

giuseppe — Mon, 23 Sep 2024 14:48:08 GMT

Re: splunk

gcusello — Mon, 23 Sep 2024 14:51:37 GMT

Hi @sverdhan ,

you asked for a list of sourcetypes.

If you want all the sourcetypes, you could try:

index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | fields - _timediff | foreach "*" [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

that's the one that you can find in the license consuming.

Ciao.

Giuseppe

Re: splunk

Jawahir — Mon, 23 Sep 2024 21:18:28 GMT

index=_internal source=*license_usage.log type="Usage" 
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| eval sourcetypename = st
| bin _time span=1d 
| stats sum(b) as b by _time, pool, indexname, sourcetypename
| eval GB=round(b/1024/1024/1024, 3)
| fields _time, indexname, sourcetypename, GB