splunk-queries
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| splunk-queries [2024/03/15 11:55] – [Count Events per Index] baumi | splunk-queries [2024/10/15 05:26] (current) – baumi | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Splunk Queries ===== | + | ====== Splunk Queries |
| + | |||
| + | ===== Indexes & Events | ||
| ==== List Indexes ==== | ==== List Indexes ==== | ||
| < | < | ||
| - | | eventcount summarize=false index=* | dedup index | fields index | + | | eventcount summarize=false index=* |
| + | | dedup index | ||
| + | | fields index | ||
| </ | </ | ||
| ==== Count Events per Index ==== | ==== Count Events per Index ==== | ||
| Line 15: | Line 19: | ||
| ==== Events per Host / Index / Sourcetype ==== | ==== Events per Host / Index / Sourcetype ==== | ||
| < | < | ||
| - | | tstats count as EVENTS_PER_HOST where index=* by index, | + | | tstats count as EVENTS_PER_HOST where index=* by index, |
| + | | table * | ||
| + | | sort by index | ||
| </ | </ | ||
| Line 27: | Line 33: | ||
| < | < | ||
| index=_internal sourcetype=splunkd source=*license_usage.log type=Usage | index=_internal sourcetype=splunkd source=*license_usage.log type=Usage | ||
| - | | timechart span=1d sum(b) as usage by idx limit=0 | foreach * [ eval "<< | + | | timechart span=1d sum(b) as usage by idx limit=0 |
| + | | foreach * [ eval "<< | ||
| </ | </ | ||
| + | |||
| + | ==== Total Ingestion ==== | ||
| + | < | ||
| + | index=_internal sourcetype=splunkd source=*license_usage.log type=Usage | ||
| + | | timechart span=1d sum(b) as usage | ||
| + | | eval gb=round(usage/ | ||
| + | | table _time, gb | ||
| + | </ | ||
| + | |||
| + | ===== Lookups & Macros ===== | ||
| ==== Export Lookup file ==== | ==== Export Lookup file ==== | ||
splunk-queries.1710500104.txt.gz · Last modified: 2024/03/15 11:55 by baumi