- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a metric search to define how many times ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
Is there a metric Search to define how many times load balanced forwarders switch indexers?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did this search by my self
index=_internal source=metrics.log "group=tcpin_connections" host=ip-10-0-163 | eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Date=strftime(_time,"%d-%m-%Y %H:%M:%S")
| search connectType="heavy fwder"
| sort - _time
| streamstats count, range(_time) as duration min(_time) as min_time, max(_time) as max_time sum(tcp_Kprocessed) as kb_processed, sum(tcp_eps) as tcp_eps by sourceIp destPort Indexer
| eval mb_processed=kb_processed/1024
| eventstats min(mb_processed) as min_mb avg(mb_processed) as avg_mb max(mb_processed) as max_mb
| table count sourceIp, Indexer ,duration, tcp_eps mb_processed destPort min_mb max_mb avg_mb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did this search by my self
index=_internal source=metrics.log "group=tcpin_connections" host=ip-10-0-163 | eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Date=strftime(_time,"%d-%m-%Y %H:%M:%S")
| search connectType="heavy fwder"
| sort - _time
| streamstats count, range(_time) as duration min(_time) as min_time, max(_time) as max_time sum(tcp_Kprocessed) as kb_processed, sum(tcp_eps) as tcp_eps by sourceIp destPort Indexer
| eval mb_processed=kb_processed/1024
| eventstats min(mb_processed) as min_mb avg(mb_processed) as avg_mb max(mb_processed) as max_mb
| table count sourceIp, Indexer ,duration, tcp_eps mb_processed destPort min_mb max_mb avg_mb
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
There's No Place Like Chrome and the Splunk Platform
Customer Experience | Join the Customer Advisory Board!
