topic Query Events rate by host in Reporting

Query Events rate by host

gfriedmann — Sat, 12 Jun 2010 04:54:11 GMT

I'm trying to query events per host over a certain time period. Event rate, or events per second, by HOST. I'd like a table of "Of all hosts, this is the message count for 1) Last 1 minute, 2) Last 5 mins, 3) Last 15 minutes.

Ultimately, i'd like a little graph of eventrate over time for multiple hosts. This would help me visually identify which hosts are suddenly responsible for many more events than usual.

I feel like this might be in metadata somewhere. (new user, so i'm not very familiar).

Re: Query Events rate by host

gfriedmann — Mon, 28 Sep 2020 09:13:44 GMT

Found the answer when searching for "volume"

http://answers.splunk.com/questions/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sourcetype

per host metrics are also included in the var/log/splunk/metrics.log . Search for "group=per_host_thruput"

Now, to get to the visual representation....

Re: Query Events rate by host

sideview — Sat, 12 Jun 2010 07:38:29 GMT

I think the best starting point, and with pretty low effort, is just this.

Go to the 'Advanced Charting View' and run the following:

index=_internal source=*metrics.log group=per_host_thruput | timechart sum(kb) avg(eps) by series

A more brute force way to do something similar (since you only want the count of events anyway) is to just run

* | timechart count by host

Re: Query Events rate by host

EmanueleR — Sun, 21 Mar 2021 15:43:05 GMT

Hi,

Like the splunk training teaches, a wildcard before a name field is bad practise.

It's important to use wildcards always before, so neither in the middle.