Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate historical ingestion from a specific set of hosts to index over time

JohnEGones
Path Finder
‎01-10-2024 03:09 PM

Hi Guys (and Gals),

Hopefully quick question, and it's late, so my brain isn't firing quickly/properly.

I need to run a query to get the ingestion over time over two variables: host, index

In the specific case, need to determine if the data ingestion from a specific set of hosts, and whether the data inbound has been increasing more than normally expected. 

So the query would look like:

 

index=linuxos host IN (server1, server2, server3...) [or possibly you may have a lookup of the set of hosts]
| eval sum(the data per host over hour {or whatever regular chunk of time you want} for a 7 day period)
| timechart xyz

==> chart over a line graph

 

 

Also, if there is relevant dashboard/console in the monitoring console I am not thinking of please direct me to the relevant menu or docs.

Appreciate any assistance.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2024 06:13 PM

You can do

index=* 
| eval group=index.":".host
| timechart span=1h sum(eval(len(_raw))) as len by group

Use subsearches with lookups to determine which index / host set you want to restrict to

Note with timechart, it will limit the number of groups to 10, so use limit=X where X is the number of index/host pairs to watch

 

View solution in original post

Reply
Solved! Jump to solution

JohnEGones
Path Finder
‎01-11-2024 07:49 AM

I am trying to run this query but Splunk is complaining that the eval is malformed.

https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandExamples

I am not sure from the docs how to try to fix this. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2024 01:26 PM

Your link leads to wrong documentation (but for some strange reason Google seems to favour it over the proper SPL documentation). There are two different search languages - SPL and SPL2. SPL is used within Splunk Enterprise (and Splunk Cloud), SPL2 is used here and there (I think most notable use is the Edge Processor) but it's not as widely used as SPL. I know it's confusing 😉

Anyway, you need docs for SPL, not SPL2.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2024 02:23 AM

While @bowesmana 's solution is correct, it might not be the fastest one 🙂

If your data haven't already rolled over past retention date, you can see if the licensing report is enough for you (but as far as I remember it's either by host or by index).

Unfortunately, if you want to measure the size of raw data (which is what you're asking about), you need to read all the raw data back from the time period you need to analyze. Which is gonna be painfully slow if your environment is of any decent size.

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2024 06:13 PM

You can do

index=* 
| eval group=index.":".host
| timechart span=1h sum(eval(len(_raw))) as len by group

Use subsearches with lookups to determine which index / host set you want to restrict to

Note with timechart, it will limit the number of groups to 10, so use limit=X where X is the number of index/host pairs to watch

 

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...