Differences

This shows you the differences between two versions of the page.

--- splunk-queries [2024/02/13 10:54] – [Ingestion by Index] baumi
+++ splunk-queries [2024/10/15 05:26] (current) – baumi
@@ Line 1: / Line 1: @@
-===== Splunk Queries =====
+====== Splunk Queries ======
+===== Indexes & Events =====
+==== List Indexes ====
+<code>
+| eventcount summarize=false index=*
+| dedup index
+| fields index
+</code>
 ==== Count Events per Index ====
 <code>
 | tstats count WHERE index=* OR index=_* by index
 </code>
-==== List Indexes ====
 <code>
-| eventcount summarize=false index=* | dedup index | fields index
+| tstats count where index=<indexname> by _time host span=1h prestats=true
+| timechart count span=1h
+| addtotals
 </code>
 ==== Events per Host / Index / Sourcetype ====
 <code>
-| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host | table * | sort by index
+| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host
+| table *
+| sort by index
 </code>
@@ Line 23: / Line 33: @@
 <code>
 index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
-     | timechart span=1d sum(b) as usage by idx limit=0 | foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
+| timechart span=1d sum(b) as usage by idx limit=0
+| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
 </code>
-==== Export Lookup file ====
+==== Total Ingestion ====
+<code>
+index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
+| timechart span=1d sum(b) as usage
+| eval gb=round(usage/1073741824,3)
+| table _time, gb
+</code>
+===== Lookups & Macros =====
+==== Export Lookup file ====
 <code>
 | inputlookup my_lookup.csv
 </code>
-==== List of Macros ====
+==== List of Macros ====
 <code>
 | rest /servicesNS/-/-/admin/macros count=0