Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- About sverdhan
sverdhan
Loves-to-Learn
Member since:
09-23-2024
10-04-2024
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-23-2024 |
Activity Feed
- Posted How to get ingest volume for 1200 sourcetypes ? on Splunk Search. 10-04-2024 07:20 AM
- Posted data ingestion on Monitoring Splunk. 10-03-2024 03:30 AM
- Posted Re: non searchable sourcetypes on Splunk Search. 09-26-2024 12:30 AM
- Posted non searchable sourcetypes on Splunk Search. 09-26-2024 12:12 AM
- Posted Re: splunk on Monitoring Splunk. 09-23-2024 07:26 AM
- Posted Re: splunk on Monitoring Splunk. 09-23-2024 06:40 AM
- Posted How find amount not ingested? on Monitoring Splunk. 09-23-2024 04:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-04-2024
07:20 AM
i have a query that will calculate the volume of data ingested in a sourcetype--
index=federated:infosec_apg_share source=InternalLicenseUsage type=Usage idx=*_p* idx!=zscaler* st=<your sourcetype here> | stats sum(b) | eval GB = round('sum(b)'/1073741824,2) | fields GB
The issue is I have a list of 1200 sourcetypes . please suggest me how can I adjust the entire list into this query
... View more
Labels
- Labels:
-
search job inspector
10-03-2024
03:30 AM
Hello everyone,
I have created a query that list sourectypes :
index=_audit action=search info=granted source="*metrics.log" group="per_sourcetype_thruput" | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | chart sum(kb) by series | sort - sum(kb) | search hasBeenSearched="0" | search NOT[inputlookup sourcetypes_1.csv | fields sourcetype]
I would want to modify this query such that it also enlists the volume ingestion of these sourcetypes as well...Kindly suggest
... View more
Labels
- Labels:
-
search head
09-26-2024
12:30 AM
Thank you for your prompt reply ..
Actually , I am having this search which lists the sourcetypes that have not been searched , but it is not very accurate so it might contain sourcetypes that are still searchable :
index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype | search hasBeenSearched="0"
So, I created a lookup into which I have put the sourcetypes that have been searched...I was thinking to reference this lookup in the above mentioned query so that it could remove the sourcetypes that are searchable .. But the query is not giving me results . Can you please check where should i Adjust those commands related to referencing that lookup ..
here is how I have used the query, but the results are not coming:
index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype| search NOT [inputlookup sourcetypes_1.csv | fields sourcetype] | search hasBeenSearched="0"
... View more
09-26-2024
12:12 AM
Hello All, I am looking for a query that can provide me with a list of sourcetypes that have not been searched .Kindly suggest.
... View more
Labels
- Labels:
-
search job inspector
09-23-2024
07:26 AM
Thank you , Do you have a general query to calculate the volume ingested for any sourcetype in general?
... View more
09-23-2024
06:40 AM
thank you for your reply , can you suggest any method apart from the lookup one?
... View more
09-23-2024
04:24 AM
i have used the below query to get a list of 25 sourcetypes who are not reporting for the last 30 days ...but i need to know the volume of data ingested by them...kindly suggest any ideas or any alternative methods: | metadata type=sourcetypes | eval diff=now()-lastTime | where diff > 3600*24*30 | convert ctime(lastTime) | convert ctime(firstTime) | convert ctime(recentTime) | sort -diff
... View more
Labels
- Labels:
-
search performance
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-04-2024
10:41 AM
|
