Building for the Splunk Platform

How can I find out how much volume hosts are sending to my "main" index?

johnblakley
Explorer

I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back

From:

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

To:

index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)

But, with only:

index="main" source="WMI:WinEventLog:Security"

Brings back 2710 results from today.

I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....

0 Karma

sbbadri
Motivator

@johnblakley

Please try with below query,

index=_internal source=*license_usage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin _time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)

There is one app in splunkbase named meta woot. It will give some more capabilities.

https://splunkbase.splunk.com/app/2949/

0 Karma

johnblakley
Explorer

Your search didn't work. It resulted in nothing found. Metawoot doesn't find anything and it doesn't seem like I can change the index to anything but "All".

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...