Splunk Search

How to write a search to calculate these totals to display in their own single value visualizations?

mwdbhyat
Builder

Hi there,

I need to do the following calculations and return them in their own single value visualization. Any thoughts on the timechart search to use?

  • Total Number of Systems
  • Total Volume Indexed
  • Total Number of Events
  • Total Number of Sourcetypes
  • Total Volumes transferred per day

Thanks

0 Karma
1 Solution

sundareshr
Legend

Try these (pick your timeframe)

*Total Number of Systems *

    index=yourindex | stats dc(host) as hosts

*Total Volume Indexed*

    index="_internal" source="*metrics.log" group="per_host_thruput" | stats sum(kb) | sort - sum(kb)

*Total Number of Events*

| metadata type=sourcetypes | stats sum(totalCount) as totalevents

*Total Number of Sourcetypes *

| metadata type=sourcetypes index=* | stats count

*Total Volumes transferred per day*
Not sure what this means

View solution in original post

0 Karma

sundareshr
Legend

Try these (pick your timeframe)

*Total Number of Systems *

    index=yourindex | stats dc(host) as hosts

*Total Volume Indexed*

    index="_internal" source="*metrics.log" group="per_host_thruput" | stats sum(kb) | sort - sum(kb)

*Total Number of Events*

| metadata type=sourcetypes | stats sum(totalCount) as totalevents

*Total Number of Sourcetypes *

| metadata type=sourcetypes index=* | stats count

*Total Volumes transferred per day*
Not sure what this means

0 Karma

mwdbhyat
Builder

Thanks - is there any way to put this all in the form of a single value trendline visual so that I can monitor changes for each. The top 4 questions will be over 30 days. The last one is per day.

With regards to the "Total Volume Indexed" how would I set this for specific indexes(all of the above are for specific indexes)

"Total Volume transferred per day" would be the amount of data indexed per day to a specific index.

0 Karma

sundareshr
Legend

Not sure what you mean by "all in the form of a single values trendline visual". You cannot combine these into to one single value visualization, if that's what you are asking. Single Value shows only one value, hence single value. What you can do is create a dashboard with a single value for each.

To get the total volume for a specific index, you can add index=nameofindex to the query.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Scenarios/Createsingle-valuevisualizations#Part_2:...

0 Karma

mwdbhyat
Builder

Hi,

Thanks for the reply. Yes they are all separate single value viz's..

I need them to display changes per month. IE - total number of events would show the single value with either an arrow up or down depending on the increase or decrease since the last month.. I need that sort of thing for each separate visual I am creating(hosts, sourcetypes, volume etc).

0 Karma

sundareshr
Legend

Ah!!! In that case, change the stats command to timechart like this and run it over 2 months (or add earliest=-2mon@mon)

... | timechart span=1mon count partial=f
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...