Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to accurately determine the volume of events being dropped to the nullQueue?

staftly
New Member
‎08-11-2015 12:47 PM

Is there a way to accurately determine the volume of events being dropped to the nullQueue?

I have a standard props & transforms setup to drop events for a given source type by a single regex entry.

Any help would be appreciated.

Many thanks
Staftly

Tags (1)
0 Karma
Reply

dflodstrom
Builder
‎08-24-2015 07:28 PM

There are many ways to go about this.

One way is to just send the events to an index instead of to the nullQueue, then examine the size of that index and delete it if you want.

You could baseline the size of your index over a period of time with and without the filter as well.

If you're reading in static set of data you could easily index it, check the size, delete the index and re-index with your filter.

You can always go over your license for one day if you needed to.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...