Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Query Events rate by host

gfriedmann
Communicator
‎06-11-2010 09:54 PM

I'm trying to query events per host over a certain time period. Event rate, or events per second, by HOST. I'd like a table of "Of all hosts, this is the message count for 1) Last 1 minute, 2) Last 5 mins, 3) Last 15 minutes.

Ultimately, i'd like a little graph of eventrate over time for multiple hosts. This would help me visually identify which hosts are suddenly responsible for many more events than usual.

I feel like this might be in metadata somewhere. (new user, so i'm not very familiar).

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-12-2010 12:38 AM

I think the best starting point, and with pretty low effort, is just this.

Go to the 'Advanced Charting View' and run the following: 

index=_internal source=*metrics.log group=per_host_thruput | timechart sum(kb) avg(eps) by series

A more brute force way to do something similar (since you only want the count of events anyway) is to just run 

* | timechart count by host

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-12-2010 12:38 AM

I think the best starting point, and with pretty low effort, is just this.

Go to the 'Advanced Charting View' and run the following: 

index=_internal source=*metrics.log group=per_host_thruput | timechart sum(kb) avg(eps) by series

A more brute force way to do something similar (since you only want the count of events anyway) is to just run 

* | timechart count by host
Reply
Solved! Jump to solution

EmanueleR
New Member
‎03-21-2021 08:43 AM

Hi, 

Like the splunk training teaches, a wildcard before a name field is bad practise. 

It's important to use wildcards always before,  so neither in the middle.

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎06-11-2010 09:57 PM

Found the answer when searching for "volume"

http://answers.splunk.com/questions/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sour...

per host metrics are also included in the var/log/splunk/metrics.log . Search for "group=per_host_thruput"

Now, to get to the visual representation....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...