data ingestion

sverdhan · ‎10-03-2024

Hello everyone,

I have created a query that list sourectypes :

index=_audit action=search info=granted source="*metrics.log" group="per_sourcetype_thruput" | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | chart sum(kb) by series | sort - sum(kb) | search hasBeenSearched="0" | search NOT[inputlookup sourcetypes_1.csv | fields sourcetype]

I would want to modify this query such that it also enlists the volume ingestion of these sourcetypes as well...Kindly suggest

gcusello · ‎10-03-2024

Hi @sverdhan ,

Go in [Settings > Licensing > License Usage > Previous 60 days > Split by Sourcetype] and you'll have your search that will be:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by st fixedrange=false  
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

data ingestion

search head

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability