Reporting
Highlighted

Query Events rate by host

Communicator

I'm trying to query events per host over a certain time period. Event rate, or events per second, by HOST. I'd like a table of "Of all hosts, this is the message count for 1) Last 1 minute, 2) Last 5 mins, 3) Last 15 minutes.

Ultimately, i'd like a little graph of eventrate over time for multiple hosts. This would help me visually identify which hosts are suddenly responsible for many more events than usual.

I feel like this might be in metadata somewhere. (new user, so i'm not very familiar).

Tags (3)
0 Karma
Highlighted

Re: Query Events rate by host

Communicator

Found the answer when searching for "volume"

http://answers.splunk.com/questions/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sour...

per host metrics are also included in the var/log/splunk/metrics.log . Search for "group=perhostthruput"

Now, to get to the visual representation....

0 Karma
Highlighted

Re: Query Events rate by host

SplunkTrust
SplunkTrust

I think the best starting point, and with pretty low effort, is just this.

Go to the 'Advanced Charting View' and run the following:

index=_internal source=*metrics.log group=per_host_thruput | timechart sum(kb) avg(eps) by series

A more brute force way to do something similar (since you only want the count of events anyway) is to just run

* | timechart count by host

View solution in original post