- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Improve Search Performance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Ive constructed the below 5 searches to populate a dashboard, once they go onto our live systems they are going to be going through TB of data.. I need to make these searches as efficient as possible using using tstats, rest endpoints, summaries, scheduled reports and was wondering if anyone could point me in the direction of what to use and where in my searches or improve the syntax? (search noob) So far timechart is being used for all of them as they are in single value visual form with a trend arrow per month.
Total Number of Systems - 30 Days
index=test earliest=-2mon@mon | timechart span=1mon dc(host) as Hosts
Total Volume Indexed - 30 Days
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2mon@mon | rename idx as Index | timechart span=1mon sum(b) as Bytes
Total Number of Events - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon count
Total Number of Sourcetypes - 30 Days
index=test earliest=-2mon@mon| timechart span=1mon dc(sourcetype) as sourcetypes
Total Volume Per Day
index=_internal source=license_usage.log type=Usage pool= idx=test earliest=-2d@d | rename idx as Index | timechart span=1d sum(b) as Bytes
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For every query, other than ones which are showing license_usage, you can use tstats. For license usage queries, I would sugggest to go for summary indexing/data model with accelaration.
Total Number of Systems - 30 Days
| tstats dc(host) as Hosts WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Volume Indexed - 30 Days
Create a summary index with below search to run daily and then use the result of that summary index in your dashboard
index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes
Total Number of Events - 30 Days
| tstats count WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Number of Sourcetypes - 30 Days
| tstats dc(sourcetype) as sourcetypes WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Volume Per Day
Use the summary index created for "Total Volume Indexed - 30 Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For every query, other than ones which are showing license_usage, you can use tstats. For license usage queries, I would sugggest to go for summary indexing/data model with accelaration.
Total Number of Systems - 30 Days
| tstats dc(host) as Hosts WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Volume Indexed - 30 Days
Create a summary index with below search to run daily and then use the result of that summary index in your dashboard
index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes
Total Number of Events - 30 Days
| tstats count WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Number of Sourcetypes - 30 Days
| tstats dc(sourcetype) as sourcetypes WHERE index=test earliest=-2mon@mon by _time span=1mon
Total Volume Per Day
Use the summary index created for "Total Volume Indexed - 30 Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this!! Is there any way I can keep my trend indicator arrow? They are not showing anymore now that the search has changed..They are enabled etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick question - shouldnt, index=_internal source=license_usage.log type=Usage pool=* idx=test earliest=-1d@d latest=@d | timechart span=1mon sum(b) as Bytes have earliest and latest set to @mon rather than @day?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
