Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

peak time of log sources

lohit
Path Finder
‎10-24-2013 05:26 AM

Hi ,

I have some forwarders installed in my environment and want to calculate the peak time in which log sources forwarded the logs. I have around 15 Universal forwarders installed and looking to create a unified report for all the log sources peak time.(hourly basis). for example If my Log Source A, has send the maximum no of logs between 2-3 pm. SOme thing of that sort.

I would greatly appreciate any help.!!

Regards
Lohit

Tags (1)
Reply

jtrucks
Splunk Employee
Splunk Employee
‎10-24-2013 08:36 AM

You can change the initial search to match what you need, but this works to get the top value, with 1h buckets, per host:

earliest="-1d@d" latest="-0d@d" index=_internal source=*license_usage.log type=Usage s="mylogsourcenamehere" | eval GB=b/1024/1024/1024 | bucket span=1h _time | stats sum(GB) AS GBsum by _time,h | sort -GBsum,h | dedup h

Enjoy.
Jesse

--
Jesse Trucks
Minister of Magic
Reply

lukejadamec
Super Champion
‎10-24-2013 07:20 AM

You can use this to show the count (rough estimate of volume) by source:

index="*" source="*" host="*" |timechart span=1h count by source useother=false limit=50

Or, you can use this to show the count (rough estimate of volume) by host:

index="*" source="*" host="*" |timechart span=1h count by host useother=false limit=15

Use the buttons in the upper left to switch between chart and table view.

You can try this to show the count by hour, host, and source, but there is too much data for the chart.

index="*" source="*" host="*" | bucket _time span=1h |stats count by date_hour,host,source
0 Karma
Reply

davebrooking
Contributor
‎10-24-2013 05:32 AM

Lohit

You could use the license usage logs, something like the following will show how much is being indexed by each UF over time.

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024| rename h as host | timechart span=1h sum(MB) AS IndexedMB by host

Dave

0 Karma
Reply

lohit
Path Finder
‎10-24-2013 06:18 AM

Also i am just looking in timeframe of 1hr(full 24 hrs) of previous day only.

0 Karma
Reply

lohit
Path Finder
‎10-24-2013 06:09 AM

the above command shows the usage of all the forwarder in a particular time frame. I was looking for only the the follwoing format

Source Peak Time Amount of Logs

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...