×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mconnarty1
Explorer
Member since: ‎12-04-2023
‎02-20-2024
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎12-04-2023
View All

Re: Looking for a change in the index _indextime r...

by in Monitoring Splunk
‎02-20-2024 05:04 AM
‎02-20-2024 05:04 AM
For anyone else - the below search eventually worked the way I wanted although perhaps there is a more efficient way to do the same thing! | tstats max(_indextime) as indextime WHERE earliest=-7d latest=now() index=* BY sourcetype index _time span=1h ```Look back over a 7 day window, and get the typical number of hours between indextimes, as well as the number of hours seen``` | sort 0 + index sourcetype indextime | streamstats window=2 range(indextime) as range_indextime by sourcetype index | eval range_indextime=range_indextime/60/60 | stats max(indextime) as last_indextime dc(indextime) as hour_count_over_5_days avg(range_indextime) as range_based_spacing by sourcetype index | eval now=now() | eval average_hour_spacing=120/hour_count_over_5_days | eval hours_since_last_seen=if(isnotnull(hours_since_last_seen),hours_since_last_seen,abs((now-last_indextime)/60/60)) ```Compare the time since we last saw indexes, and determine if it is likely late or not.``` | eval is_late=case(((range_based_spacing<=1 AND hours_since_last_seen>=1.5 AND average_hour_spacing<=1) OR (range_based_spacing<=6 AND hours_since_last_seen>=8 AND average_hour_spacing<=6) OR (range_based_spacing<=12 AND hours_since_last_seen>=15 AND average_hour_spacing<=12) OR (range_based_spacing<=24 AND hours_since_last_seen>=36) OR isnull(last_indextime)) AND hour_count_over_5_days>1,"yes",(hours_since_last_seen>24 AND hour_count_over_5_days<=1),"maybe",1=1,"no") | eval last_indextime=strftime(last_indextime,"%Y-%m-%dT%H:%M") | fields - now ... View more

Re: Looking for a change in the index _indextime r...

by in Monitoring Splunk
‎02-19-2024 09:08 AM
‎02-19-2024 09:08 AM
This is what I have so far - but it seems way too complex! It does a baseline inner search to work out the average rate on the -48h -> -24h, and then joins that to the same search but -24h to now. | tstats count WHERE earliest=-24h latest=now() index=* BY index sourcetype _indextime | top limit=5 _indextime by index sourcetype | streamstats range(_indextime) as range_indextime by sourcetype index | stats avg(range_indextime) as observed_avg_range_indextime by index sourcetype | join type=inner index sourcetype [| tstats count WHERE earliest=-48h latest=-24h index=* BY index sourcetype _indextime | top limit=5 _indextime by index sourcetype | streamstats range(_indextime) as range_indextime by sourcetype index | stats avg(range_indextime) as avg_range_indextime by index sourcetype]   ... View more

Looking for a change in the index _indextime rate

by in Monitoring Splunk
‎02-19-2024 08:31 AM
‎02-19-2024 08:31 AM
I want to identify where the rate that an index's _indextime changes by a specific amount, with a tolerence that increases the faster the rate. For example: 1. Index A - It indexes once every 6 hours and populates the past 6 hours of events. In this circumstance I would want to know if it hasn't indexed for 8 hours or more. The tolerance is therefore relatively small (around 30% extra). 2. Index B - It indexes every second, in this circumstance I may forgive it not indexing for a few seconds, but I'd definitely want to know if it hasn't indexed in 10 minutes. The tolerence is therefore relatively large.  I don't think _time is right to use, as that would retrospectively backfill the indexes and I'm thinking it'd give false results.  I feel that either the _internal index or tstats has the answer, but I've not yet come close. ... View more
Labels

Dashboard Studio - equivalent to XML <fields> tag?

by in Dashboards & Visualizations
‎12-04-2023 07:54 AM
‎12-04-2023 07:54 AM
I am trying to use a table column for a drilldown but not display it. In XML dashboards I could do it by specifying: ``` <fields>["field1","field2"...]</fields> ``` I would then still be able to use field3 in setting drilldown tokens. How can I do this in Dashboard Studio? I can't find a way to hide a column without removing the ability to then also refer to it in tokens. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-20-2024 09:46 AM