Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

identity when a log source stopped sending

verifi81
Path Finder
‎03-29-2021 09:25 AM

Hi

Suppose I have this log source here:

index=main
sourcetype=pan
host=pa3250

It generates a massive amount of logs daily. I know sometime within the last 20 days it stopped sending traffic. What's the best search query to help me identify the day that logs stopped coming in?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:47 AM

Yes there it is. Was trying to get the query working with TSTATS. That's much better.

Does the count indicate the # of events that came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:42 AM

Also, what do the values in the "count" indicate? Is it how many files came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:40 AM

Hi impurush,

Thanks. I'm getting close with that one.  It outputs to a table with _time and count.  How would I also throw in the "host" in that table so that I can run it for a bunch of equipment in the same index and sourcetype

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-30-2021 09:54 AM

Just remove the host=xyz from the tstats and add it to the by clause, i.e. by _time, host.

And yes, the count is the number of events received by host. If you want the number of unique file sources, do a count by source (which is the filename, if it was a monitored file).

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 10:26 AM

Hi @verifi81,

index=main sourcetype=pan host=pa3250|timechart span=1d count 

You can run the above query for the last 30 days and see the visualization as a line graph, then see when it stopped.

And if you want to exact time, select the data when it stopped and change the span=1h to see when it exactly stopped.

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 11:48 AM

Hi @s2_splunk,

Thank you for the valuable suggestion, Indeed, the tstats is very fast than the normal query which I provided.

Hi @verifi81, Please use the below query to include the host too.

| tstats count where index=main sourcetype=pan host=pa3250 by _time,host span=1d

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top