topic Re: events per minute in Splunk Search

events per minute

gurinderbhatti — Fri, 21 Feb 2014 15:53:00 GMT

I am a regular user with access to a specific index. i dont have access to any internal indexes.
how do i see how many events per minute or per hour splunk is sending for specific sourcetypes i have? i can not do an alltime real time search.
so is there an other query or app i can run?

index= my_index
sourcetype=/var/log/mysource
host=abc-host101
i need events every 1 min from /var/log/mysource, every 5 mins and every 30 mins

Re: events per minute

aelliott — Mon, 28 Sep 2020 15:57:18 GMT

you could do index=my_index sourcetype=/var/log/mysource host=abc-host101 | bucket _time span=5m | stats count by sourcetype,_time

and

index=my_index sourcetype=/var/log/mysource host=abc-host101 | bucket _time span=30m | stats count by sourcetype,_time

Re: events per minute

gurinderbhatti — Mon, 28 Sep 2020 15:57:21 GMT

Elliott,
i have over 36k events (60 minute search) from a specific host and sourcetype but i tried the below and got 0 matching events:
index=lnx_appmsp sourcetype=/app/mrg/qa/logs/broker.log host=ftc-lpesbmbk301 | bucket_time span=5m | stats count by sourcetype, _time

Re: events per minute

aelliott — Fri, 21 Feb 2014 16:18:41 GMT

You need a space between bucket and _time

Re: events per minute

gurinderbhatti — Fri, 21 Feb 2014 19:24:09 GMT

thank you very much.it works now.