Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate _internal metrics per_host_thruput and per_index_thruput logs

pj
Contributor
‎01-28-2011 05:09 PM

Is there an easy way to correlate per_index_thruput with per_host_thruput in the internal logs?

Essentially, I have a 1000 hosts coming into a unique index and i am trying to understand the volume per host for this index.

Right now i have a search that looks at the log events coming into the unique index for the past 24hrs and dedups on hostname. I then feed this hostname into a search of the internal index to get the volume by host. This works, but the search of the log events for hostname takes a long time to run as there are millions of events.

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-31-2011 02:40 AM

I'm afraid the splunk metadata regarding source,sourcetype and host is not cross-referenced at all.

However IF it is true that a given host only appears in a single index, then you could generate a large lookup table from host to index. And then you could pipe your search results from metadata through the lookup command.

You'd have to create the lookup in manager first and then the search to generate the lookup csv would look something like this: 

* | stats count by host, index | outputlookup hostToIndex

And once it exists the other search would look roughly like this: 

index=_internal source="*metrics.log" group="per_host_thruput" | rename series as host | lookup hostToIndex | search index="myIndex"

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-31-2011 02:40 AM

I'm afraid the splunk metadata regarding source,sourcetype and host is not cross-referenced at all.

However IF it is true that a given host only appears in a single index, then you could generate a large lookup table from host to index. And then you could pipe your search results from metadata through the lookup command.

You'd have to create the lookup in manager first and then the search to generate the lookup csv would look something like this: 

* | stats count by host, index | outputlookup hostToIndex

And once it exists the other search would look roughly like this: 

index=_internal source="*metrics.log" group="per_host_thruput" | rename series as host | lookup hostToIndex | search index="myIndex"
Reply
Solved! Jump to solution

pj
Contributor
‎01-31-2011 02:49 PM

That is essentially what i am doing, except i put the results into a summary index then use the summary results against the _internal index.

Problem is that initial query takes a very log time to run as it has to look back through all the data to get the hostnames. It sounds like there is no simple way. Thanks for the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...