topic Re: Is there a way to show the number of events per distinct count of servers over time? in Splunk Search

Is there a way to show the number of events per distinct count of servers over time?

wzgoda — Tue, 12 Jul 2016 18:25:01 GMT

For my data set, I am looking to see the sum of the number of events per distinct count of servers. Reasoning, I am looking at a data set that has a large increase in volume near increase in Splunk indexing servers. I wanted to see if the increase of Splunk indexers could be the cause of the increase in volume. Any additional insight is appreciated.

Thanks in advance

Re: Is there a way to show the number of events per distinct count of servers over time?

lycollicott — Tue, 12 Jul 2016 18:31:55 GMT

Do you mean that you added a new indexer to an indexer cluster and at the same time you noticed that you were indexing a greater number of events?

Re: Is there a way to show the number of events per distinct count of servers over time?

wzgoda — Tue, 12 Jul 2016 18:34:03 GMT

close.... I added a new indexer and after a short period of time the volume increased. My boss is grilling me for the ration of events per server over time so I just want to get that for her.

Re: Is there a way to show the number of events per distinct count of servers over time?

somesoni2 — Tue, 12 Jul 2016 18:37:28 GMT

Try like this

index=* | timechart span=1d count by splunk_server limit=0 useother=f | addtotals

Re: Is there a way to show the number of events per distinct count of servers over time?

lycollicott — Tue, 12 Jul 2016 18:43:54 GMT

It's possible that your new indexer is collecting something that you aren't aware of, but it's hopefully some other machine and not your indexer. Run this search on the time range just before & after you noticed the increase. (It could be a long search if you have a large environment, so you may want to run it in the background.)

index=* | timechart span=1d count by host

If you have a huge number of hosts then you may need to include the limit and useother parameters, too.

Re: Is there a way to show the number of events per distinct count of servers over time?

dshpritz — Tue, 12 Jul 2016 20:14:42 GMT

Some extra (and possibly faster) fun searches:

| tstats prestats=t count WHERE index=* BY _time host span=1d | timechart span=1d count by host

If you needed that by indexer, you can try something like:

| tstats prestats=t count WHERE index=* BY _time splunk_server span=1d | timechart span=1d count by splunk_server