This is the 2 splunk query that I have:
| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)
| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)
I need the Splunk Query to do the following:
The log feeds by the actual device products instead of just IPs.
Deeper review of the logs by sourcetypes and sources (not just index=*) given that some tools are sending multiple feeds that are stored on the same index files.
Tracking short term and long term outages instead of just last 10 min and last 24 hrs.
The use of charts to show visual state of the devices health check instead of tables.
Line charts to show logs feeds baseline vs spikes for last 24hrs/7d/30d.
Ability to drill down under specific stats.
Assets pivoting from an IP/hostname to show full device info (there are multiple lookup tables that have the necessary data).
Please I need your help with the splunk query to do the above task.
Did you not get the magic wand with your starter pack?
You have a lot of requirements there. Start with the one you think is easiest and build from there. The more you play with splunk and your data, the better you will understand both, and the more you will be able to do with both. Alternatively, find a budget and hire some professional services.
Thanks the starter pack works. I am working on building on it since I have more broader requirements.
Please is there anyway you can assist me with any of those?
Of those requirements, I would probably start by counting the number of log entries per hour or minute and chart that. Then you will get an idea of the shape of the data you are receiving. Then decide what useful information you want out of that.
Thanks for your help. I will work on it and probably may have questions. Thanks again.