I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back
From:
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
To:
index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)
But, with only:
index="main" source="WMI:WinEventLog:Security"
Brings back 2710 results from today.
I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....
Please try with below query,
index=_internal source=*license_usage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin _time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)
There is one app in splunkbase named meta woot. It will give some more capabilities.
Your search didn't work. It resulted in nothing found. Metawoot doesn't find anything and it doesn't seem like I can change the index to anything but "All".