Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

identity when a log source stopped sending

verifi81
Path Finder
‎03-29-2021 09:25 AM

Hi

Suppose I have this log source here:

index=main
sourcetype=pan
host=pa3250

It generates a massive amount of logs daily. I know sometime within the last 20 days it stopped sending traffic. What's the best search query to help me identify the day that logs stopped coming in?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:47 AM

Yes there it is. Was trying to get the query working with TSTATS. That's much better.

Does the count indicate the # of events that came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:42 AM

Also, what do the values in the "count" indicate? Is it how many files came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:40 AM

Hi impurush,

Thanks. I'm getting close with that one.  It outputs to a table with _time and count.  How would I also throw in the "host" in that table so that I can run it for a bunch of equipment in the same index and sourcetype

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-30-2021 09:54 AM

Just remove the host=xyz from the tstats and add it to the by clause, i.e. by _time, host.

And yes, the count is the number of events received by host. If you want the number of unique file sources, do a count by source (which is the filename, if it was a monitored file).

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 10:26 AM

Hi @verifi81,

index=main sourcetype=pan host=pa3250|timechart span=1d count 

You can run the above query for the last 30 days and see the visualization as a line graph, then see when it stopped.

And if you want to exact time, select the data when it stopped and change the span=1h to see when it exactly stopped.

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 11:48 AM

Hi @s2_splunk,

Thank you for the valuable suggestion, Indeed, the tstats is very fast than the normal query which I provided.

Hi @verifi81, Please use the below query to include the host too.

| tstats count where index=main sourcetype=pan host=pa3250 by _time,host span=1d

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...