- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Different Amount of Events per UF with different s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello guys,
Iam creating a dashboard which show some statistics about the UFs of our environment.
By finding a good solution for the amount of events delivered per index, I noticed something I cant explain at the moment. Hopefully you can bring light in the dark. 😉
For my understanding:
# The amount of indexed events on the indexer by the forwarder itself
| tstats count as eventcount where index=* OR index=_* host=APP01 earliest=-60m@m latest=now by index, sourcetype | stats sum(eventcount) as eventcount by index
| index | eventcount |
| _internal | 11608 |
| win | 1337 |
# The amount of events which are forwarded by the forwarder
index=_internal component=Metrics host=APP01 series=* NOT series IN (main) group=per_index_thruput
| stats sum(ev) AS eventcount by series
| series | eventcount |
| _internal | 1243 |
| win | 2876 |
But both of them are delivering different values for the same timerange (60min)
Has anyone an idea why this is happening?
Thanks.
BR, Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your first query you are looking at all events, for all internal and non-internal indexes.
In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.
That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your first query you are looking at all events, for all internal and non-internal indexes.
In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.
That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for clarification.
It seems that i had apples on my eyes. 😞
...
Greetings.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
