Search string to method to determine heavy hitter ...

OMohi · ‎08-01-2013

Hi:

Is there a procedure or a search string to determine heavy hitter hostname based on operating system. We work on five different operating systems and would like to determine the usage based per os level.

Thanks,
Obaid

sowings · ‎08-05-2013

Try the metrics.log. During each metrics dump (every 30 seconds), the "top X biggest Y" are written out. Where X is defaulted to ten (10), and Y is sourcetype, host, index, etc. The search string would read like:

index=_internal source=*metrics.log group=tcpin_connections | stats sum(kb) AS kb by os

You could also use the results from the os field in the tcpin_connections, to evaluate the OS while getting the accurate license usage from license_usage.log.

OMohi · ‎08-13-2013

could you break down the search to specify heavy hitters by host build using a particular o/s (eg windows)

OMohi · ‎08-02-2013

Yes you r right. I am assuming licensing usage by operating system, split down by hostnames which has the os installed.

sowings · ‎08-02-2013

Assuming you mean license usage?

martin_mueller · ‎08-02-2013

You could tag your hostnames with the OS, and split your query by that tag. Alternatively, you can do the same with a lookup.

Search string to method to determine heavy hitter servers by operating system

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases