Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make sure that the data forwarded is loading in the searchhead/indexer completely?

manjunathmeti
Champion
‎03-07-2016 09:45 PM

I have a forwarder installed on a server and I am extracting the data for indexes like Name,Class etc and while extracting I am also storing extraction information as shown below in extraction_audit index. This index also forwarded to indexer along with indexes Name, Class,Place so on.

index...............begin_extraction_time......end_extraction_time......total_records_extracted
Name ...............1457452861....................... ..145745287..........................150
Class................1457453260..........................1457453290........................100
School_details..1457453564..........................1457453575.........................25
Place................1457453612 .........................1457453620 ........................50
Other................1457453734..........................1457453744.........................10
Name................1457453892..........................1457453895.........................25
Place................1457454094..........................1457454096..........................5

Now how can I check in search heads count by index is same as total_records_extracted between begin_extraction_time and end_extraction_time.

For Example for index=Name between 1457452861 and 145745287, how to check count by index is equal or not equal to total_records_extracted which is in index=extraction_audit.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-08-2016 05:12 AM

Hello,

This should work:

index=name _index_earliest=1457452861 _index_latest=145745287

Thanks,
Michael

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-08-2016 05:14 AM

if you want to do it all in one search...

index=name _index_earliest=1457452861 _index_latest=145745287 | stats c AS count1 | appendcols [search index=extraction_audit  _index_earliest=1457452861 _index_latest=145745287 | stats c AS count2] | eval matching=if(count1=count2,"True","False") | table count1, count2, matching | rename count1 as "Indexed Event Count", count2 as "Audited Event Count"
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...