Is there an app/addon that summarizes index of log...

bevan_broun_sit · ‎12-18-2022

HI

I was about to create a summary index for log sizes/counts by host and by sourcetype. I require this for alerting when log volumes change.

I can create the indexes/searches but I thought that this might be a common thing - does anyone know of an app/addon that does this already?

Thanks

Bevan

bevan_broun_sit · ‎12-21-2022

Thanks Giuseppe

This is what I got going for myself in test mode

my event indexes have _e_ in them, metrics have _m_ in them and summary has ..

earliest=-11m@m latest=-1m@m index=*_e_* OR index=*_m_* NOT index=*summary*
| eval logsize=len(_raw)
| stats sum(logsize) as log_bytes count as log_count by host sourcetype
| eval log_count.{host}.{sourcetype} = log_count
| eval log_bytes.{host}.{sourcetype} = log_bytes
| fields - log_count log_bytes host sourcetype
| stats values(*) as *
| addinfo | mcollect index=log_volume_stats_summary_test split=allnums

gcusello · ‎12-21-2022

Hi @bevan_broun_sit,

I suppose that's correct, have you any issue?

You can check resuts with the License consuming reports or with the Monitoring Console reports (that are the same, or with one of these apps:

License Monitoring for Splunk (https://splunkbase.splunk.com/app/3521)

License Usage Dashboards (https://splunkbase.splunk.com/app/3178).

Ciao.

Giuseppe

gcusello · ‎12-18-2022

Hi @bevan_broun_sit,

you could use the searches that you can find in [Settings -- License - License Consuption - Last 60 days], schedule them and save results in a summary index.

Ciao.

Giuseppe

bevan_broun_sit · ‎01-10-2023

Hi

BTW this is not about not about license consumption. Its about alerting when something changes its expected logging pattern.

Is there an app/addon that summarizes index of log volumes - by host/by sourcetype?

license usage

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases