I have hosts/forwarders reporting to multiple indexers using load balancing.I have 3 in Americas,2 in Aspac.
I am able to get the output using the query index="_internal" source="*metrics.log" per_host_thruput | chart sum(kb) by series, splunk_server.
I want to get the output with the following columns host,TotalVolume,Indexer/s
Could you please help.
You should be able to search:
index=_internal source=*.metrics.log group=per_host_thruput | stats sum(kb) as TotalVolume values(splunk_server) as "Indexer/s" by series | rename series as host
You should be able to search:
index=_internal source=*.metrics.log group=per_host_thruput | stats sum(kb) as TotalVolume values(splunk_server) as "Indexer/s" by series | rename series as host
Thanks a lot Stephen.
What do you mean by host? Do you mean forwarder?