![]() | rename title AS index] | fields index raw_size_gb event_count buckets minTime maxTime retention | stats max(maxTime) AS maxTime min(minTime) AS minTime max(frozenTimePeriodInSecs) AS retention BY title | eval minTime = case(minTime >= "0", minTime) | table title maxTime minTime frozenTimePeriodInSecs | join type=outer index [| rest /services/data/indexes-extended | eval raw_size_gb = round(raw_size / 1024 / 1024 / 1024, 2) | fields index raw_size_gb event_count buckets | stats sum(raw_size) AS raw_size sum(event_count) AS event_count dc(bucketId) AS buckets BY index | stats max(rawSize) AS raw_size max(eventCount) AS event_count BY bucketId, index Now try the following which combines both (thank you Splunk!): For this exercise, lets try copying and pasting the following RESTful search into your Splunk search bar to see what data is returned:įigure 2: Results of the restful search (remember to scroll right)įigure 3: Column headers from dbinspect (remember to scroll right) The second requires more calculation and is less efficient. The first uses a RESTful call and provides detailed information about indexes. There are at least two places within Splunk to discover index information. This dashboard will give it to you and do it fast! As a bonus we will provide the dashboard code at the end of the article.įinding detailed index information quickly Visually what the data ingest looks like by total event count and by index.How that equates to events per second (EPS). ![]() How many events ingested over a user-defined time period.This article focuses on understanding your Splunk environment at a high-level. Spelunking your Splunk – Part IV (User Metrics) - A dashboard to provide insight into user activity.Spelunking your Splunk – Part III (License Usage) - A dashboard to understand license usage over time.Spelunking your Splunk – Part II (Disk Usage) - A dashboard that can be used to monitor data distribution across multiple indexers.Spelunking your Splunk Part I (Exploring Your Data) - A clever dashboard that can be used to quickly understand the indexes, sources, sourcetypes, and hosts in any Splunk environment.Here is a quick recap of the previous articles: Welcome to the fifth article of the Spelunking your Splunk series, all designed to help you understand your Splunk environment at a quick glance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |