Been poking around and trying to figure out how to pull up how much data has been sent from a specific host.
For example host 123 is sending CPU data every 10sec, how much data is that over the course of time = "X"
Most Recent Activity:
by ChrisG ♦
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
This should do it - this shows how much data has been indexed from various hosts
index=_internal source=*metrics.log group="tcpin_connections"
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| stats sum(kb) as KB by sourceHost | eval KB = round(KB)
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
Stop data flowing into 1 of my Indexes
Deleting Data Source.
Where is my data get stored in Splunk ?
In version 4.3.+ how can I validate my indexes if I have some problems with my data storage or Splunk going down?
sending events to the other index