Splunk Search

Search string to method to determine heavy hitter servers by operating system

OMohi
Path Finder

Hi:

Is there a procedure or a search string to determine heavy hitter hostname based on operating system. We work on five different operating systems and would like to determine the usage based per os level.

Thanks,
Obaid

0 Karma

sowings
Splunk Employee
Splunk Employee

Try the metrics.log. During each metrics dump (every 30 seconds), the "top X biggest Y" are written out. Where X is defaulted to ten (10), and Y is sourcetype, host, index, etc. The search string would read like:


index=_internal source=*metrics.log group=tcpin_connections | stats sum(kb) AS kb by os

You could also use the results from the os field in the tcpin_connections, to evaluate the OS while getting the accurate license usage from license_usage.log.

0 Karma

OMohi
Path Finder

could you break down the search to specify heavy hitters by host build using a particular o/s (eg windows)

0 Karma

OMohi
Path Finder

Yes you r right. I am assuming licensing usage by operating system, split down by hostnames which has the os installed.

0 Karma

sowings
Splunk Employee
Splunk Employee

Assuming you mean license usage?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could tag your hostnames with the OS, and split your query by that tag. Alternatively, you can do the same with a lookup.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...