Splunk Search

Log Volume Indexed.

sanju005ind
Communicator

I would like to display the volume indexed from several indexed into following chart.

  • Past 24hrs log volume by time (line graph)
  • Past week’s log volume (bar chart – bar for each day)

It should be Per Host combined since would be filtering the hosts by tags.

Tags (2)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

earliest=-24h index=_internal source=*metrics.log group=per_host_thruput | rename series as host | tags | where tag=mytag | timechart span=1h sum(kb) by host

earliest=-7d@d latest=@d index=_internal source=*metrics.log group=per_host_thruput | rename series as host | tags| where tag=mytag | timechart span=1d sum(kb) by host

sanju005ind
Communicator

"index=_internal metrics group=per_host_thruput startdaysago=7 | rename series as host | tags | search tag::host=MyTags | bucket span=1d _time | stats sum(kb) as kb by date_mday" . This works for me.Is there any fine tuning to be done?

0 Karma

sanju005ind
Communicator

"index=_internal source=*metrics.log group=per_host_thruput | rename series as host | tags | search tag::host=mytag" this seems to work However when I check this I get very less hosts compared to "
| metadata type=hosts | TAGS | search tag::host=mytag | eval host=lower(host) | fields host| rename host as "series" | join
series[search index="_internal" source="*metrics.log" per_host_thruput | stats sum(kb) by series] "

0 Karma
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...