Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

log volume by host

bgill0123
Loves-to-Learn
‎02-23-2021 12:11 PM

Hello,

I have 26 hosts reporting data to a specific index. These hosts are prone to malfunction at any time 🙂

Is there a search I can do that will show me any dramatic increases in logging volume from any of the hosts?

 

Thanks

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎02-24-2021 06:41 AM

hi @bgill0123 ,

The below query will give the total count of events per host every hour for the index. You can select any chart to see the pattern.

| tstats count where index="indexname" by host, _time 
| timechart span=1h sum(count) as count by host

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

effem2
Path Finder
‎02-24-2021 05:11 AM

Hi bgill0123,

 

in order to get an overview of the data ingestion rates by host you can use this example:

 

index=_internal sourcetype=splunkd fwdType=* group=tcpin_connections(connectionType=cooked OR connectionType=cookedSSL) 
| timechart minspan=30s avg(eval(tcp_KBps)) as "KB/s", avg(tcp_eps) as "Events/s" by hostname

 

 

Additionally if you are using the Monitoring Console you can find desired information here:
https://<your_MC>:8000/en-GB/app/splunk_monitoring_console/forwarder_deployment

In order to only get the the dramatically increased ingestion-rates you need to define what "dramatic" means.
If we are going with "double" == "dramatic" then we can run the following example:

 

index=_internal sourcetype=splunkd "group=tcpin_connections" ("connectionType=cooked" OR "connectionType=cookedSSL")  earliest="-2d@d" latest=@d 
| fields hostname, tcp_KBps
| bin _time span=1h
| stats max(eval(tcp_KBps)) as "max_kbs" by _time, hostname 
| stats avg(max_kbs) as avg_max_kbs latest(max_kbs) as latest_max_kbs by hostname
| eval dramatic_threshold=avg_max_kbs*2
| eval dramatic=if(latest_max_kbs>dramatic_threshold,"true","false")
| where dramatic=="true"


This will give you a list of hosts where in the last 1h there was a peak higher than the average peaks in the last 2 days.

This can be modified to calculate the Volume as well. 

-----
Hope this helps.
If this answer helped you, please upvote/mark as resolution.

Kind,
Florian

 

Tags (3)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...