Splunk IT Service Intelligence

Is there any Splunk query that would provide the details of HF ports where incoming logs are dropping?

rajim
Path Finder

Is there any Splunk query that would provide the details of HF ports where incoming logs are dropping?
For ex I have one HF. Now I want to know if there are any UDP ports where incoming logs are dropping and the logs are not indexing in splunk. I can perform tcpdump to get this. But I want to know the historical details from when this has been started, how many ports are involved in the past in such log dropping incident etc. So it would be better if splunk can capture these events and show us the details of such events. Is there any facilities in Splunk?

0 Karma

terminaloutcome
Explorer

If the queue's blocking it'll drop traffic - index=_internal Metrics blocked=true NOT StreamedSearch | table _time, host, name, max_size_kb, current_size_kb is a starter search for showing where Splunk knows it's blocking.

To monitor UDP queue headroom, I use index=_internal Metrics group=queue NOT StreamedSearch name=udp* | eval headroom=max_size_kb-current_size_kb | timechart avg(headroom) by host

0 Karma

rajim
Path Finder

@terminaloutcomes Thank you for your response. I need this information by port no. But these queries doesn't provide any port information. Is that possible to get the dropped information by port?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...