Differences

This shows you the differences between two versions of the page.

--- splunk-queries [2024/01/25 09:17] – baumi
+++ splunk-queries [2024/10/15 05:26] (current) – baumi
@@ Line 1: / Line 1: @@
-===== Splunk Queries =====
+====== Splunk Queries ======
+===== Indexes & Events =====
+==== List Indexes ====
+<code>
+| eventcount summarize=false index=*
+| dedup index
+| fields index
+</code>
 ==== Count Events per Index ====
 <code>
 | tstats count WHERE index=* OR index=_* by index
 </code>
-==== List Indexes ====
 <code>
-| eventcount summarize=false index=* | dedup index | fields index
+| tstats count where index=<indexname> by _time host span=1h prestats=true
+| timechart count span=1h
+| addtotals
 </code>
 ==== Events per Host / Index / Sourcetype ====
+<code>
+| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host
+| table *
+| sort by index
+</code>
+==== Ingestion by Index ====
 <code>
-| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host | table * | sort by index
+index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
+| stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3)
 </code>
+=== Timechart ===
+<code>
+index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
+| timechart span=1d sum(b) as usage by idx limit=0
+| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
+</code>
+==== Total Ingestion ====
+<code>
+index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
+| timechart span=1d sum(b) as usage
+| eval gb=round(usage/1073741824,3)
+| table _time, gb
+</code>
+===== Lookups & Macros =====
+==== Export Lookup file ====
+<code>
+| inputlookup my_lookup.csv
+</code>
+==== List of Macros ====
+<code>
+| rest /servicesNS/-/-/admin/macros count=0
+</code>
 {{tag>kb splunk}}