Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

peak time of log sources

lohit
Path Finder
‎10-24-2013 05:26 AM

Hi ,

I have some forwarders installed in my environment and want to calculate the peak time in which log sources forwarded the logs. I have around 15 Universal forwarders installed and looking to create a unified report for all the log sources peak time.(hourly basis). for example If my Log Source A, has send the maximum no of logs between 2-3 pm. SOme thing of that sort.

I would greatly appreciate any help.!!

Regards
Lohit

Tags (1)
Reply

jtrucks
Splunk Employee
Splunk Employee
‎10-24-2013 08:36 AM

You can change the initial search to match what you need, but this works to get the top value, with 1h buckets, per host:

earliest="-1d@d" latest="-0d@d" index=_internal source=*license_usage.log type=Usage s="mylogsourcenamehere" | eval GB=b/1024/1024/1024 | bucket span=1h _time | stats sum(GB) AS GBsum by _time,h | sort -GBsum,h | dedup h

Enjoy.
Jesse

--
Jesse Trucks
Minister of Magic
Reply

lukejadamec
Super Champion
‎10-24-2013 07:20 AM

You can use this to show the count (rough estimate of volume) by source:

index="*" source="*" host="*" |timechart span=1h count by source useother=false limit=50

Or, you can use this to show the count (rough estimate of volume) by host:

index="*" source="*" host="*" |timechart span=1h count by host useother=false limit=15

Use the buttons in the upper left to switch between chart and table view.

You can try this to show the count by hour, host, and source, but there is too much data for the chart.

index="*" source="*" host="*" | bucket _time span=1h |stats count by date_hour,host,source
0 Karma
Reply

davebrooking
Contributor
‎10-24-2013 05:32 AM

Lohit

You could use the license usage logs, something like the following will show how much is being indexed by each UF over time.

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024| rename h as host | timechart span=1h sum(MB) AS IndexedMB by host

Dave

0 Karma
Reply

lohit
Path Finder
‎10-24-2013 06:18 AM

Also i am just looking in timeframe of 1hr(full 24 hrs) of previous day only.

0 Karma
Reply

lohit
Path Finder
‎10-24-2013 06:09 AM

the above command shows the usage of all the forwarder in a particular time frame. I was looking for only the the follwoing format

Source Peak Time Amount of Logs

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...