Solved: Meassure log amount of Forwarder and create alert

nebel · ‎08-27-2012

Hi,

I want to create an alert for Forwarder which sending more than 2 GB / day.
I already found this

Community:TroubleshootingIndexedDataVolume

I general it is the right way, but I have a special request which is not covered in Splunk Wiki. I want to count the log amount of hosts which are located in a specific sourcetype. In the example search I just see amount of sourcetype and amount of host. If I would use the host search, I would see all hosts, but I just want to have hosts from a specific sourcetype.

Do you know how I can realize that?

Thank you

Regards

nebel · ‎08-27-2012

found it:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | search st="YOUR SOURCETYPE" | timechart span=1d sum(GB) by h useother=false

View solution in original post

nebel · ‎08-27-2012

found it:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | search st="YOUR SOURCETYPE" | timechart span=1d sum(GB) by h useother=false

Meassure log amount of Forwarder and create alert

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Meassure log amount of Forwarder and create alert

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...