Splunk Search

status of data feeds coming in

ecanmaster
Explorer

Is there a way to show total feeds coming in per sourcetype etc. everyday?
Would be good if I can see the data within a graph, so we can see clearly fluctuations

Tags (1)
0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust
0 Karma

gjanders
SplunkTrust
SplunkTrust
0 Karma

ecanmaster
Explorer

thx everyone for their feedback, the query I am using is this:

| tstats count WHERE index=* GROUPBY sourcetype, _time span=1d | timechart span=1d sum(count) by sourcetype

this seems to be working pretty good, but I can't filter sourcetypes that for example didnt receive any feeds for more than 24 hours

0 Karma

nickhills
Ultra Champion

Hi - I added this post - If you find it useful, please upvote the answer, or add your own solution if you found another way!

https://answers.splunk.com/answers/606762/how-do-i-monitor-jbosstomcatapacheetc-and-raise-an.html

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

This is the search I use for exactly this purpose.

|tstats count AS tscount by sourcetype, _time|timechart max(tscount) by sourcetype useother=false
If my comment helps, please give it a thumbs up!
0 Karma

Elsurion
Communicator

If you'd like to create a long time overview about your event inputs you can add the collected data to a summary.
I'm collecting here the events and the license usage for a yearly report 🙂
This saved search is run every hour to keep the load on the indexer small enough.

index=_internal sourcetype=splunkd group=per_sourcetype_thruput
| bucket span=1h _time
| stats sum(ev) as ev by series host _time
| rename series as sourcetype

| join type=left sourcetype
[ search index=_internal source=*license* type="Usage" 
| fields st, b, _time 
| bucket _time span=1h 
| stats sum(b) as b by st,_time 
| eval mb=round(b/1024/1024,3)
| rename st as sourcetype
]

| join type=left sourcetype
[
| eventcount summarize=false index=* index=_* | dedup index | fields index 
 | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
 | fields index sourcetype
]
| eval index=if(isnull(index),"undefined",index)
| eval type="index_stats"
| fillnull value=0
| rename index as myindex, host as myhost, sourcetype as mysourcetype
| table _time, myindex, myhost, mysourcetype, ev, mb, b, type
| collect index=lic_summary
0 Karma

rvinjana
Explorer

index=*
|timechart span=1d count by sourcetype

switch to visualization and see what chart suites you

0 Karma

DavidHourani
Super Champion

I downvoted this post because never use index=*

0 Karma

mayurr98
Super Champion

Try this!

| tstats count where index=* by sourcetype _time | timechart span=1d count by  sourcetype

You can change span according to your need. run this for all time

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...