![]() If the labelfield argument is specified, a column is added to the statistical results table with the name specified. Results are displayed on the Statistics tab. The result contains the sum of each numeric field or you can specify which fields to summarize. | eval maxTime = replace(maxTime, "T", " "), maxTime = replace(maxTime, "\+0000", ""), minTime = replace(minTime, "T", " "), minTime = replace(minTime, "\+0000", ""), retention = round(retention / 86400, 0).The addcoltotals command appends a new result to the end of the search result set. | tstats prestats=t count where index=* by index, _time | timechart count by index | tstats prestats=t count where index=* by _time | timechart count | rename raw_size_gb AS "Index Size (GB)" event_count AS "Total Event Count" buckets AS "Total Bucket Count" minTime AS "Earliest Event" maxTime AS "Latest Event" retention AS Retention | stats count | eval minTime = case(minTime >= "0", minTime) | tstats count where index=* | addinfo | eval diff = info_max_time - info_min_time | eval EPS = count / diff | table EPS Feel free to modify the dashboard as needed: Enjoy!īelow is the dashboard code needed to enumerate your Splunk stats. Splunk provides decent visibility into various features within Monitoring Console / DMC (Distributed management console), but we found this flexible and customizable dashboard to be quite helpful for gaining additional insight. :-)įinding source, sourcetype, and host data quickly Now that you understand the basics, the sky is the limit. | rename raw_size_gb AS "Index Size (GB)" event_count AS "Total Event Count" buckets AS "Total Bucket Count" minTime AS "Earliest Event" maxTime AS "Latest Event" retention AS Retention | rename title AS index] | fields index raw_size_gb event_count buckets minTime maxTime retention ![]() | stats max(maxTime) AS maxTime min(minTime) AS minTime max(frozenTimePeriodInSecs) AS retention BY title | table title maxTime minTime frozenTimePeriodInSecs | join type=outer index [| rest /services/data/indexes-extended | eval raw_size_gb = round(raw_size / 1024 / 1024 / 1024, 2) | fields index raw_size_gb event_count buckets | stats sum(raw_size) AS raw_size sum(event_count) AS event_count dc(bucketId) AS buckets BY index | stats max(rawSize) AS raw_size max(eventCount) AS event_count BY bucketId, index Now try the following which combines both (thank you Splunk!): For this exercise, lets try copying and pasting the following RESTful search into your Splunk search bar to see what data is returned:įigure 2: Results of the restful search (remember to scroll right)įigure 3: Column headers from dbinspect (remember to scroll right) The second requires more calculation and is less efficient. The first uses a RESTful call and provides detailed information about indexes. There are at least two places within Splunk to discover index information. ![]() This dashboard will give it to you and do it fast! As a bonus we will provide the dashboard code at the end of the article.įinding detailed index information quickly
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |