Fortytwo - Answer to the Ultimate Question of Life, the Universe, and Everything

User Tools

Site Tools

Trace: schedule-reboot-once wordpress-permalinks dokuwiki elasticsearch linux-packet-forwarding
splunk-queries

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
splunk-queries [2024/01/11 09:41] baumisplunk-queries [2024/10/15 05:26] (current) baumi
Line 1: Line 1:
-===== Queries =====+====== Splunk Queries =====
 + 
 +===== Indexes & Events ===== 
 +==== List Indexes ==== 
 +<code> 
 +| eventcount summarize=false index=*  
 +| dedup index  
 +| fields index 
 +</code>
 ==== Count Events per Index ==== ==== Count Events per Index ====
 <code> <code>
 | tstats count WHERE index=* OR index=_* by index | tstats count WHERE index=* OR index=_* by index
 </code> </code>
-==== List Indexes ==== 
 <code> <code>
-eventcount summarize=false index=* | dedup index | fields index+tstats count where index=<indexname> by _time host span=1h prestats=true 
 +| timechart count span=1h 
 +| addtotals 
 +</code> 
 +==== Events per Host / Index / Sourcetype ==== 
 +<code> 
 +| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host  
 +table *  
 +| sort by index 
 +</code> 
 + 
 +==== Ingestion by Index ==== 
 +<code> 
 +index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
 +stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3) 
 +</code> 
 + 
 +=== Timechart === 
 +<code> 
 +index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
 +| timechart span=1d sum(b) as usage by idx limit=0  
 +| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)] 
 +</code> 
 + 
 +==== Total Ingestion ==== 
 +<code> 
 +index=_internal sourcetype=splunkd source=*license_usage.log type=Usage  
 +| timechart span=1d sum(b) as usage  
 +| eval gb=round(usage/1073741824,3)  
 +| table _time, gb 
 +</code> 
 + 
 +===== Lookups & Macros ===== 
 + 
 +==== Export Lookup file ==== 
 +<code> 
 +| inputlookup my_lookup.csv 
 +</code> 
 + 
 +==== List of Macros ==== 
 +<code> 
 +| rest /servicesNS/-/-/admin/macros count=0
 </code> </code>
  
 {{tag>kb splunk}} {{tag>kb splunk}}
splunk-queries.1704962497.txt.gz · Last modified: 2024/01/11 09:41 by baumi
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki