Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate historical ingestion from a specific set of hosts to index over time

JohnEGones
Communicator
‎01-10-2024 03:09 PM

Hi Guys (and Gals),

Hopefully quick question, and it's late, so my brain isn't firing quickly/properly.

I need to run a query to get the ingestion over time over two variables: host, index

In the specific case, need to determine if the data ingestion from a specific set of hosts, and whether the data inbound has been increasing more than normally expected. 

So the query would look like:

 

index=linuxos host IN (server1, server2, server3...) [or possibly you may have a lookup of the set of hosts]
| eval sum(the data per host over hour {or whatever regular chunk of time you want} for a 7 day period)
| timechart xyz

==> chart over a line graph

 

 

Also, if there is relevant dashboard/console in the monitoring console I am not thinking of please direct me to the relevant menu or docs.

Appreciate any assistance.

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2024 06:13 PM

You can do

index=* 
| eval group=index.":".host
| timechart span=1h sum(eval(len(_raw))) as len by group

Use subsearches with lookups to determine which index / host set you want to restrict to

Note with timechart, it will limit the number of groups to 10, so use limit=X where X is the number of index/host pairs to watch

 

View solution in original post

Reply
Solved! Jump to solution

JohnEGones
Communicator
‎01-11-2024 07:49 AM

I am trying to run this query but Splunk is complaining that the eval is malformed.

https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandExamples

I am not sure from the docs how to try to fix this. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2024 01:26 PM

Your link leads to wrong documentation (but for some strange reason Google seems to favour it over the proper SPL documentation). There are two different search languages - SPL and SPL2. SPL is used within Splunk Enterprise (and Splunk Cloud), SPL2 is used here and there (I think most notable use is the Edge Processor) but it's not as widely used as SPL. I know it's confusing 😉

Anyway, you need docs for SPL, not SPL2.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2024 02:23 AM

While @bowesmana 's solution is correct, it might not be the fastest one 🙂

If your data haven't already rolled over past retention date, you can see if the licensing report is enough for you (but as far as I remember it's either by host or by index).

Unfortunately, if you want to measure the size of raw data (which is what you're asking about), you need to read all the raw data back from the time period you need to analyze. Which is gonna be painfully slow if your environment is of any decent size.

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2024 06:13 PM

You can do

index=* 
| eval group=index.":".host
| timechart span=1h sum(eval(len(_raw))) as len by group

Use subsearches with lookups to determine which index / host set you want to restrict to

Note with timechart, it will limit the number of groups to 10, so use limit=X where X is the number of index/host pairs to watch

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...