Splunk Cloud

identity when a log source stopped sending

verifi81
Path Finder

Hi

Suppose I have this log source here:

index=main
sourcetype=pan
host=pa3250

It generates a massive amount of logs daily. I know sometime within the last 20 days it stopped sending traffic. What's the best search query to help me identify the day that logs stopped coming in?

 

Labels (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

verifi81
Path Finder

Yes there it is. Was trying to get the query working with TSTATS. That's much better.

Does the count indicate the # of events that came in?

0 Karma

verifi81
Path Finder

Also, what do the values in the "count" indicate? Is it how many files came in?

0 Karma

verifi81
Path Finder

Hi impurush,

Thanks. I'm getting close with that one.  It outputs to a table with _time and count.  How would I also throw in the "host" in that table so that I can run it for a bunch of equipment in the same index and sourcetype

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Just remove the host=xyz from the tstats and add it to the by clause, i.e. by _time, host.

And yes, the count is the number of events received by host. If you want the number of unique file sources, do a count by source (which is the filename, if it was a monitored file).

0 Karma

impurush
Contributor

Hi @verifi81,

index=main sourcetype=pan host=pa3250|timechart span=1d count 

You can run the above query for the last 30 days and see the visualization as a line graph, then see when it stopped.

And if you want to exact time, select the data when it stopped and change the span=1h to see when it exactly stopped.

0 Karma

impurush
Contributor

Hi @s2_splunk,

Thank you for the valuable suggestion, Indeed, the tstats is very fast than the normal query which I provided.

Hi @verifi81, Please use the below query to include the host too.

| tstats count where index=main sourcetype=pan host=pa3250 by _time,host span=1d

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

You could run that more efficiently using tstats:

| tstats count where index=main sourcetype=pan host=pa3250 by _time 
| bin _time span=1d

especially when running over longer periods of time.

FYI. 

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!