How can I tell when Splunk is finished indexing a log file?
(Credit for this one goes to learnsplunk.com author who originally posted it on his website)
By watching data from splunk’s metrics log in real-time.
************************************************************
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="your_sourcetype_here" | eval MB=kb/1024 | chart sum(MB)
************************************************************
or to watch everything happening split by sourcetype….
************************************************************
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
************************************************************
And if you’re having trouble with a data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules arent working the way you expect, go to this URL:
Awesome query thanks for sharing! I ran this (slight modification of your query) and it was interesting to see the spike in throughput along with traffic patterns with our iis data source: index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”iis” | eval MB=kb/1024 | timechart sum(MB)