https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541078#M153170 <P>Hello,</P><P>I have 26 hosts reporting data to a specific index. These hosts are prone to malfunction at any time <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Is there a search I can do that will show me any dramatic increases in logging volume from any of the hosts?</P><P>&nbsp;</P><P>Thanks</P> Tue, 23 Feb 2021 20:11:20 GMT bgill0123 2021-02-23T20:11:20Z https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541078#M153170 <P>Hello,</P><P>I have 26 hosts reporting data to a specific index. These hosts are prone to malfunction at any time <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Is there a search I can do that will show me any dramatic increases in logging volume from any of the hosts?</P><P>&nbsp;</P><P>Thanks</P> Tue, 23 Feb 2021 20:11:20 GMT https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541078#M153170 bgill0123 2021-02-23T20:11:20Z https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541206#M153216 <P>Hi bgill0123,</P><P>&nbsp;</P><P>in order to get an overview of the data ingestion rates by host you can use this example:</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd fwdType=* group=tcpin_connections(connectionType=cooked OR connectionType=cookedSSL) | timechart minspan=30s avg(eval(tcp_KBps)) as "KB/s", avg(tcp_eps) as "Events/s" by hostname</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Additionally if you are using the Monitoring Console you can find desired information here:<BR /><A href="https://community.splunk.com/" target="_blank">https://&lt;your_MC&gt;:8000/en-GB/app/splunk_monitoring_console/forwarder_deployment</A><BR /><BR />In order to only get the the dramatically increased ingestion-rates you need to define what "dramatic" means.<BR />If we are going with "double" == "dramatic" then we can run the following example:</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd "group=tcpin_connections" ("connectionType=cooked" OR "connectionType=cookedSSL") earliest="-2d@d" latest=@d | fields hostname, tcp_KBps | bin _time span=1h | stats max(eval(tcp_KBps)) as "max_kbs" by _time, hostname | stats avg(max_kbs) as avg_max_kbs latest(max_kbs) as latest_max_kbs by hostname | eval dramatic_threshold=avg_max_kbs*2 | eval dramatic=if(latest_max_kbs&gt;dramatic_threshold,"true","false") | where dramatic=="true"</LI-CODE><P><BR />This will give you a list of hosts where in the last 1h there was a peak higher than the average peaks in the last 2 days.</P><P>This can be modified to calculate the Volume as well.&nbsp;<BR /><BR />-----<BR />Hope this helps.<BR />If this answer helped you, please upvote/mark as resolution.<BR /><BR />Kind,<BR />Florian</P><P>&nbsp;</P> Wed, 24 Feb 2021 13:11:20 GMT https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541206#M153216 effem2 2021-02-24T13:11:20Z https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541227#M153229 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/74891">@bgill0123</a>&nbsp;,<BR /><BR />The below query will give the total count of events per host every hour for the index. You can select any chart to see the pattern.</P><LI-CODE lang="markup">| tstats count where index="indexname" by host, _time | timechart span=1h sum(count) as count by host</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Wed, 24 Feb 2021 14:41:09 GMT https://community.splunk.com/t5/Splunk-Search/log-volume-by-host/m-p/541227#M153229 manjunathmeti 2021-02-24T14:41:09Z