Monitoring Splunk

Is there an app/addon that summarizes index of log volumes - by host/by sourcetype?

bevan_broun_sit
Loves-to-Learn Lots

HI

I was about to create a summary index for log sizes/counts by host and by sourcetype. I require this for alerting when log volumes change.

I can create the indexes/searches but I thought that this might be a common thing - does anyone know of an app/addon that does this already?

Thanks

Bevan

 

 

 

Labels (1)
0 Karma

bevan_broun_sit
Loves-to-Learn Lots

Thanks Giuseppe

This is what I got going for myself in test mode

my event indexes have _e_ in them, metrics have _m_ in them and summary has ..

earliest=-11m@m latest=-1m@m index=*_e_* OR index=*_m_* NOT index=*summary*
| eval logsize=len(_raw)
| stats sum(logsize) as log_bytes count as log_count by host sourcetype
| eval log_count.{host}.{sourcetype} = log_count
| eval log_bytes.{host}.{sourcetype} = log_bytes
| fields - log_count log_bytes host sourcetype
| stats values(*) as *
| addinfo | mcollect index=log_volume_stats_summary_test split=allnums

 

 

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bevan_broun_sit,

I suppose that's correct, have you any issue?

You can check resuts with the License consuming reports or with the Monitoring Console reports (that are the same, or with one of these apps:

License Monitoring for Splunk (https://splunkbase.splunk.com/app/3521)

License Usage Dashboards (https://splunkbase.splunk.com/app/3178).

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bevan_broun_sit,

you could use the searches that you can find in [Settings -- License - License Consuption - Last 60 days], schedule them and save results in a summary index.

Ciao.

Giuseppe

0 Karma

bevan_broun_sit
Loves-to-Learn Lots

Hi

 

BTW this is not about not about license consumption. Its about alerting when something changes its expected logging pattern.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...