Refine your search:

Been poking around and trying to figure out how to pull up how much data has been sent from a specific host.

For example host 123 is sending CPU data every 10sec, how much data is that over the course of time = "X"

asked 25 Apr '12, 15:27

mlevenson's gravatar image

accept rate: 0%

edited 25 Apr '12, 15:29

ChrisG's gravatar image

ChrisG ♦

One Answer:

This should do it - this shows how much data has been indexed from various hosts

index=_internal source=*metrics.log group="tcpin_connections" 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| stats sum(kb) as KB by sourceHost | eval KB = round(KB)

answered 25 Apr '12, 16:05

lguinn's gravatar image

lguinn ♦
accept rate: 30%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25 Apr '12, 15:27

Seen: 965 times

Last updated: 25 Apr '12, 16:05

Copyright © 2005-2014 Splunk Inc. All rights reserved.