Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Managing your Ingestion with the search bar
By
Splunk
Many of our cloud customers have asked me how to better manage their data, e.g. determine volume by sourcetype, or volume by forwarder. This is typically available via the Distributed Management Console, but in some cases, a person’s role prevents them from getting full access to it. In the article below, I will guide you through several searches aimed to let anyone dive a bit deeper into their Splunk Cloud service.
Below are a few searches I find helpful
Total Ingestion Volume over time
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type="RolloverSummary" | eval GB=b/1024/1024/1024 |timechart span= 1d sum(GB) as GB |
Be sure to double check your time range selector here, I usually search over the past 7 days. If you want to look at hour by hour, simply adjust the search time. If you want to see what you’ve ingested over the past 30 days, you’ll need to adjust accordingly, and if you want to get fancy, be sure and set the earliest=-30d@d latest=-0d@d to ensure you’re using midnight to midnight as the markers for time range. You this search uses type="RolloverSummary", which indicates when the log rolled each day. You could also use the type “Usage” as well.
ProTip: Get even fancier and use | eval myLicense=XXX to see how close you are getting to your limit.
You can use the same search to look by various other input components, such as ingestion by sourcetype:
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage | eval GB=b/1024/1024/1024 |timechart sum(GB) by st
Or if you want to see ingestion by forwarder (or forwarder AND sourcetype) use the following:
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage | eval GB=b/2014/1024/1024 | stats sum(GB) as GB by s host | sort - GB
Either way you want to slice it, Splunk automatically indexes its own internal logs, including the license log (license_usage.log).
Stay tuned for part 2 where we start to dive even deeper into managing your instance, straight from the search bar.
If you happen to be in Orlando next week, be sure to stop by and say “Hi” during the Cloud Adoption Team’s presentation of “Best Practices in Splunk Cloud”
----------------------------------------------------
Thanks!
Dennis Bourg
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
