Splunk Cloud Platform

identity when a log source stopped sending

verifi81
Path Finder

Hi

Suppose I have this log source here:

index=main
sourcetype=pan
host=pa3250

It generates a massive amount of logs daily. I know sometime within the last 20 days it stopped sending traffic. What's the best search query to help me identify the day that logs stopped coming in?

 

Labels (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

verifi81
Path Finder

Yes there it is. Was trying to get the query working with TSTATS. That's much better.

Does the count indicate the # of events that came in?

0 Karma

verifi81
Path Finder

Also, what do the values in the "count" indicate? Is it how many files came in?

0 Karma

verifi81
Path Finder

Hi impurush,

Thanks. I'm getting close with that one.  It outputs to a table with _time and count.  How would I also throw in the "host" in that table so that I can run it for a bunch of equipment in the same index and sourcetype

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Just remove the host=xyz from the tstats and add it to the by clause, i.e. by _time, host.

And yes, the count is the number of events received by host. If you want the number of unique file sources, do a count by source (which is the filename, if it was a monitored file).

0 Karma

impurush
Contributor

Hi @verifi81,

index=main sourcetype=pan host=pa3250|timechart span=1d count 

You can run the above query for the last 30 days and see the visualization as a line graph, then see when it stopped.

And if you want to exact time, select the data when it stopped and change the span=1h to see when it exactly stopped.

0 Karma

impurush
Contributor

Hi @s2_splunk,

Thank you for the valuable suggestion, Indeed, the tstats is very fast than the normal query which I provided.

Hi @verifi81, Please use the below query to include the host too.

| tstats count where index=main sourcetype=pan host=pa3250 by _time,host span=1d

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...