I need help figuring something out.
Got this search during .conf19 to be used to do a Forwarder weight distribution search:
index=_internal Metrics sourcetype=splunkd TERM(group=tcpin_connections) earliest=-4hr latest=now [|dbinspect index=_*
|stats values(splunk_server) as indexer
|eval search="host IN (".mvjoin(mvfilter(indexer!=""),",").")"]
|stats sum(kb) as throughput by hostname
|sort - throughput
|eventstats sum(throughput) as total_throughput dc(hostname) as all_forwarders
|streamstats sum(throughput) as accumlated_throughput count by all_forwarders
|eval coverage=accumlated_throughput/total_throughput, progress_through_forwarders=count/all_forwarders
|bin progress_through_forwarders bins=100
|stats max(coverage) as coverage by progress_through_forwarders all_forwarders
|fields progress_through_forwarders coverage
How do I interpret the results from this search? If the numerical representation of coverage is within 0.1 across all results is that success? Across 100 results, the coverage values range from 0.82594059014 to 1.0000000.
... View more