Archive

How can I find out how much volume hosts are sending to my "main" index?

Explorer

I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back

From:

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

To:

index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)

But, with only:

index="main" source="WMI:WinEventLog:Security"

Brings back 2710 results from today.

I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....

0 Karma

Motivator

@johnblakley

Please try with below query,

index=internal source=*licenseusage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=internal source=*licenseusage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stacksize" by time] | eval stacksize = round(stack_size/1024/1024/1024,5)

There is one app in splunkbase named meta woot. It will give some more capabilities.

https://splunkbase.splunk.com/app/2949/

0 Karma

Explorer

Your search didn't work. It resulted in nothing found. Metawoot doesn't find anything and it doesn't seem like I can change the index to anything but "All".

0 Karma