- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to generate a search to determine why our lice...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Over the holiday weekend our license usage doubled and I need to figure out what is causing this. I have S.o.S - Splunk on Splunk installed but I am not sure if this is where I find this information. anyone have any searches to determine what devices started sending data or volume change?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try running these searches for the last 10 days:
| tstats count GroupBy index _time span=1d
| timechart span=1d sum(count) BY index
Get more granular with this:
| tstats count GroupBy sourcetype index _time span=1d
| eval entity = sourcetype . "/" . index
| timechart span=1d sum(count) BY entity
Get the most granularity with this:
| tstats count GroupBy host sourcetype index _time span=1d
| eval entity = host . "/" . sourcetype . "/" . index
| timechart span=1d sum(count) BY entity
These will chart changes in # of events, but if the problem is that this metric is more or less the same and the problem is that the average size of a particular event has increased, then it will not be evident.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try running these searches for the last 10 days:
| tstats count GroupBy index _time span=1d
| timechart span=1d sum(count) BY index
Get more granular with this:
| tstats count GroupBy sourcetype index _time span=1d
| eval entity = sourcetype . "/" . index
| timechart span=1d sum(count) BY entity
Get the most granularity with this:
| tstats count GroupBy host sourcetype index _time span=1d
| eval entity = host . "/" . sourcetype . "/" . index
| timechart span=1d sum(count) BY entity
These will chart changes in # of events, but if the problem is that this metric is more or less the same and the problem is that the average size of a particular event has increased, then it will not be evident.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! this helped determine what index doubled in size. How do i run these searches for that particular index? I tried adding index=XXX but the search did not like it at all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, check out the Meta Woot! app:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh this looks like a great app!!! do i have to install it in all HF and indexers? I installed in the search head and no data came up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After the tstats line add this line:
| search index="XXX"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NICE! that worked!!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
