Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

All Index logs display by Stats by Date

mailmetoramu
Explorer
‎12-06-2021 07:05 AM

Hello All,

Need an search query where i can see all the index logs by |stats by count, date, index. Tried the below search query but it didnt helped :

index= * source=*license_usage.log type="Usage" splunk_server=* earliest=-2month@d | eval Date=strftime(_time, "%Y/%m/%d") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5) | timechart first(MB) AS volume by idx

Labels (1)
Labels
0 Karma
Reply

mailmetoramu
Explorer
‎12-06-2021 09:16 AM

Hello Giuseppe,

Thanks for ur time on this.

Tried the query u provided, but getting "No results found. Try expanding the time range". Tried expanding time range also but no luck.

Need search query which can give a stats data like below :

 

All Index  :     Date/Time :     SourceType :   

 

Time Range will be : 1st Nov to 1st Dec 2021

0 Karma
Reply

gcusello
Esteemed Legend
‎12-06-2021 11:08 PM

Hi @mailmetoramu,

can you access the _internal index?

It seems that you cannot!

if you cannot, it's really difficoult to solve your need.

If yes, to debug the above query, you have to run it deleting, one by one, the search sections from the end arriving to the main search, to understand if there's a problem in the search or if you can access the data.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
Esteemed Legend
‎12-06-2021 08:33 AM

Hi @mailmetoramu,

let me understand: you want a search that displays the time distribution of quantity of logs indexed in each index, is it correct?

If this is your need, you could use the search that you can find in the 60 days license consuption dashboard or in the Monitoring Console.

The only limit is the retention time of your internal logs (index=_internal) that's usually less than 60 days.

If you have the above data, you could run a search like this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=0  
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...