I am looking to see how often all of my devices are sending logs to Splunk. We recently applied a hotfix and it seems that it has seriously degraded the number of logs, and the frequency that they are being received. I would like to graph it to see if they were indeed affected by this patch. Thanks!
-Josh
I recommend you take a look at meta woot! https://splunkbase.splunk.com/app/2949/
It is a great app and provides many useful views that help trend events, license usage, and indexing by host, sourcetype and index
It leverages a scheduled tstats search to a summary index. that will allow you to trend your events and license over time, and can even form the basis of alerting on hosts that have gone missing or are indexing behind or ahead.
you could effectively do the same thing with a simple tstats command like:
| tstats prestats=t count by host, _time
| timechart count by host
Which should work quick and dirty, but meta woot! will provide a better experience over time without re-inventing the wheel.