Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

identity when a log source stopped sending

verifi81
Path Finder
‎03-29-2021 09:25 AM

Hi

Suppose I have this log source here:

index=main
sourcetype=pan
host=pa3250

It generates a massive amount of logs daily. I know sometime within the last 20 days it stopped sending traffic. What's the best search query to help me identify the day that logs stopped coming in?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:47 AM

Yes there it is. Was trying to get the query working with TSTATS. That's much better.

Does the count indicate the # of events that came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:42 AM

Also, what do the values in the "count" indicate? Is it how many files came in?

0 Karma
Reply
Solved! Jump to solution

verifi81
Path Finder
‎03-29-2021 10:40 AM

Hi impurush,

Thanks. I'm getting close with that one.  It outputs to a table with _time and count.  How would I also throw in the "host" in that table so that I can run it for a bunch of equipment in the same index and sourcetype

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-30-2021 09:54 AM

Just remove the host=xyz from the tstats and add it to the by clause, i.e. by _time, host.

And yes, the count is the number of events received by host. If you want the number of unique file sources, do a count by source (which is the filename, if it was a monitored file).

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 10:26 AM

Hi @verifi81,

index=main sourcetype=pan host=pa3250|timechart span=1d count 

You can run the above query for the last 30 days and see the visualization as a line graph, then see when it stopped.

And if you want to exact time, select the data when it stopped and change the span=1h to see when it exactly stopped.

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎03-29-2021 11:48 AM

Hi @s2_splunk,

Thank you for the valuable suggestion, Indeed, the tstats is very fast than the normal query which I provided.

Hi @verifi81, Please use the below query to include the host too.

| tstats count where index=main sourcetype=pan host=pa3250 by _time,host span=1d

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-29-2021 10:37 AM

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...