Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I Identify anomalous changes in event counts across critical hosts and sources in Splunk & ES?

SamHTexas
Builder
‎07-15-2021 07:50 PM

I have a large Splunk & ES environment and use DMC daily. Are there a series of SPL that would help me perform such tasks. Thank u in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-15-2021 08:22 PM

Hi @SamHTexas .. 

critical hosts and sources - may we know this list is a small one with few hosts and sources or a large list?

for example, if you got only less than 5 / 10 hosts, we can use simple SPL query.. 

if the list is big, then

1) you should create a CSV file  -  host or source - number of logs today - date of today

2) then create alert on that CSV file and create email alerts

 

the basic idea: just the reverse of idea of host stops sending logs:

https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to...

(if a host sent more than 1million logs in last 24 hrs, create an email notification)

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...