https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113433#M29831 <P>Hi ,</P> <P>I have some forwarders installed in my environment and want to calculate the peak time in which log sources forwarded the logs. I have around 15 Universal forwarders installed and looking to create a unified report for all the log sources peak time.(hourly basis). for example If my Log Source A, has send the maximum no of logs between 2-3 pm. SOme thing of that sort.</P> <P>I would greatly appreciate any help.!!</P> <P>Regards<BR /> Lohit</P> Thu, 24 Oct 2013 12:26:12 GMT lohit 2013-10-24T12:26:12Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113433#M29831 <P>Hi ,</P> <P>I have some forwarders installed in my environment and want to calculate the peak time in which log sources forwarded the logs. I have around 15 Universal forwarders installed and looking to create a unified report for all the log sources peak time.(hourly basis). for example If my Log Source A, has send the maximum no of logs between 2-3 pm. SOme thing of that sort.</P> <P>I would greatly appreciate any help.!!</P> <P>Regards<BR /> Lohit</P> Thu, 24 Oct 2013 12:26:12 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113433#M29831 lohit 2013-10-24T12:26:12Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113434#M29832 <P>Lohit</P> <P>You could use the license usage logs, something like the following will show how much is being indexed by each UF over time.</P> <P>index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024| rename h as host | timechart span=1h sum(MB) AS IndexedMB by host</P> <P>Dave</P> Mon, 28 Sep 2020 15:03:41 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113434#M29832 davebrooking 2020-09-28T15:03:41Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113435#M29833 <P>the above command shows the usage of all the forwarder in a particular time frame. I was looking for only the the follwoing format</P> <P>Source Peak Time Amount of Logs</P> Thu, 24 Oct 2013 13:09:29 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113435#M29833 lohit 2013-10-24T13:09:29Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113436#M29834 <P>Also i am just looking in timeframe of 1hr(full 24 hrs) of previous day only.</P> Thu, 24 Oct 2013 13:18:09 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113436#M29834 lohit 2013-10-24T13:18:09Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113437#M29835 <P>You can use this to show the count (rough estimate of volume) by source:</P> <PRE><CODE>index="*" source="*" host="*" |timechart span=1h count by source useother=false limit=50 </CODE></PRE> <P>Or, you can use this to show the count (rough estimate of volume) by host:</P> <PRE><CODE>index="*" source="*" host="*" |timechart span=1h count by host useother=false limit=15 </CODE></PRE> <P>Use the buttons in the upper left to switch between chart and table view.</P> <P>You can try this to show the count by hour, host, and source, but there is too much data for the chart.</P> <PRE><CODE>index="*" source="*" host="*" | bucket _time span=1h |stats count by date_hour,host,source </CODE></PRE> Thu, 24 Oct 2013 14:20:27 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113437#M29835 lukejadamec 2013-10-24T14:20:27Z https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113438#M29836 <P>You can change the initial search to match what you need, but this works to get the top value, with 1h buckets, per host:</P> <PRE><CODE>earliest="-1d@d" latest="-0d@d" index=_internal source=*license_usage.log type=Usage s="mylogsourcenamehere" | eval GB=b/1024/1024/1024 | bucket span=1h _time | stats sum(GB) AS GBsum by _time,h | sort -GBsum,h | dedup h </CODE></PRE> <P>Enjoy.<BR /> Jesse</P> Thu, 24 Oct 2013 15:36:12 GMT https://community.splunk.com/t5/Splunk-Search/peak-time-of-log-sources/m-p/113438#M29836 jtrucks 2013-10-24T15:36:12Z