I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)
But, with only:
Brings back 2710 results from today.
I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....
Please try with below query,
index=internal source=*licenseusage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=internal source=*licenseusage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stacksize" by time] | eval stacksize = round(stack_size/1024/1024/1024,5)
There is one app in splunkbase named meta woot. It will give some more capabilities.