Solved: Meassure log amount of Forwarder and create alert

nebel · ‎08-27-2012

Hi,

I want to create an alert for Forwarder which sending more than 2 GB / day.
I already found this

Community:TroubleshootingIndexedDataVolume

I general it is the right way, but I have a special request which is not covered in Splunk Wiki. I want to count the log amount of hosts which are located in a specific sourcetype. In the example search I just see amount of sourcetype and amount of host. If I would use the host search, I would see all hosts, but I just want to have hosts from a specific sourcetype.

Do you know how I can realize that?

Thank you

Regards

nebel · ‎08-27-2012

found it:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | search st="YOUR SOURCETYPE" | timechart span=1d sum(GB) by h useother=false

View solution in original post

nebel · ‎08-27-2012

found it:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | search st="YOUR SOURCETYPE" | timechart span=1d sum(GB) by h useother=false

Meassure log amount of Forwarder and create alert

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?