Is there any Splunk query that would provide the d...

rajim · ‎02-27-2019

Is there any Splunk query that would provide the details of HF ports where incoming logs are dropping?
For ex I have one HF. Now I want to know if there are any UDP ports where incoming logs are dropping and the logs are not indexing in splunk. I can perform tcpdump to get this. But I want to know the historical details from when this has been started, how many ports are involved in the past in such log dropping incident etc. So it would be better if splunk can capture these events and show us the details of such events. Is there any facilities in Splunk?

terminaloutcome · ‎02-27-2019

If the queue's blocking it'll drop traffic - index=_internal Metrics blocked=true NOT StreamedSearch | table _time, host, name, max_size_kb, current_size_kb is a starter search for showing where Splunk knows it's blocking.

To monitor UDP queue headroom, I use index=_internal Metrics group=queue NOT StreamedSearch name=udp* | eval headroom=max_size_kb-current_size_kb | timechart avg(headroom) by host

rajim · ‎03-04-2019

@terminaloutcomes Thank you for your response. I need this information by port no. But these queries doesn't provide any port information. Is that possible to get the dropped information by port?

Is there any Splunk query that would provide the details of HF ports where incoming logs are dropping?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms