Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different Amount of Events per UF with different searches

sscholz
Explorer
‎08-05-2021 11:49 PM

Hello guys,

Iam creating a dashboard which show some statistics about the UFs of our environment.

By finding a good solution for the amount of events delivered per index, I noticed something I cant explain at the moment. Hopefully you can bring light in the dark. 😉

For my understanding:

# The amount of indexed events on the indexer by the forwarder itself

| tstats count as eventcount where index=* OR index=_* host=APP01 earliest=-60m@m latest=now by index, sourcetype | stats sum(eventcount) as eventcount by index

indexeventcount
_internal11608
win1337

 

# The amount of events which are forwarded by the forwarder 

index=_internal component=Metrics host=APP01 series=* NOT series IN (main) group=per_index_thruput
| stats sum(ev) AS eventcount by series

serieseventcount
_internal1243
win2876

 

But both of them are delivering different values for the same timerange (60min)

Has anyone an idea why this is happening?

Thanks.

BR, Tom

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎08-06-2021 09:16 AM

In your first query you are looking at all events, for all internal and non-internal indexes.

In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.

That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎08-06-2021 09:16 AM

In your first query you are looking at all events, for all internal and non-internal indexes.

In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.

That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

sscholz
Explorer
‎08-17-2021 01:18 AM

Thank you for clarification.

It seems that i had apples on my eyes. 😞

...

 

Greetings.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...