- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare splunk ingestion volume?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare splunk ingestion volume?
Hi Team,
I'm looking for a query to compare Splunk ingestion volume between the current date and a week ago i.e compare today's ingestion volume with exact same day a week ago and get the % difference. Please let me know if there are any queries available preferably with REST Services.Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this but interestingly 7days ago im getting 10x more values than yesterday data, can you please re-look into this @schose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
you can try to verify using license usage:
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" sourcetype=splunkd earliest=-7d@d latest=-6d@d
| stats sum(b) as lic_7d
| append
[ search index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" sourcetype=splunkd earliest=-1d@d latest=-0d@d
| stats sum(b) as lic_yesterday
]
| stats values(*) as *
| eval pct=round((lic_yesterday/lic_7d)*100)
license usage is also a good indicator for ingest - could be just misleading if you are doing a lot of metric conversion..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i guess i would use splunkd metrics for that :
index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" "group=thruput" "name=index_thruput" instantaneous_kbps earliest=-7d@d latest=-6d@d | stats sum(instantaneous_kbps) as ingest_pipe_instantaneous_kbps by ingest_pipe host | stats sum(ingest_pipe_instantaneous_kbps) as total_7d_ago by host
| append [
search index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" "group=thruput" "name=index_thruput" instantaneous_kbps earliest=-1d@d latest=-0d@d | stats sum(instantaneous_kbps) as ingest_pipe_instantaneous_kbps by ingest_pipe host | stats sum(ingest_pipe_instantaneous_kbps) as total_yesterday by host
]
| stats values(*) as * by host
| eval pct=round((total_yesterday/total_7d_ago)*100,1)
in this example we calculate the sum of instantaneous_kbs per indexer per ingest_pipeline 7 days ago and compare it to yesterday. you might want to adjust times..
best regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the cheaper way is to use _metrics index
| mstats sum("spl.mlog.thruput.thruput.instantaneous_kbps") as total_7d_ago WHERE "index"="_metrics" earliest=-7d@d latest=-6d@d host=INDEXER BY host
| append
[
| mstats sum("spl.mlog.thruput.thruput.instantaneous_kbps") as total_yesterday WHERE "index"="_metrics" earliest=-1d@d latest=-0d@d host=INDEXER BY host
]
| stats values(*) as * by host
| eval pct=round((total_yesterday/total_7d_ago)*100,1)you have to place you indexers with or in where part.
regards,
Andreas
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
