How to Check When Splunk is finished Indexing a log file

How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching  data from splunk’s metrics log in real-time. ************************************************************ index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”your_sourcetype_here” | eval MB=kb/1024 | chart sum(MB) ************************************************************ or to watch everything happening split by […]

Continue Reading →

Apache access_logs status code reporting

index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status ###this query is to report on status code description##### index=apache source=”/var/log/httpd/access_log” | timechart count by status_description useother=f # Find Website Status Over time index=apache sourcetype=access_combined| timechart count by status_type limit=10 usenull=f # Reports on Webserver error 500. index=apache sourcetype=access_combined status_type=”Server Error” […]

Continue Reading →

Low Disk Space Alert for Windows Servers

eventtype=hostmon_windows Type=Disk host=”*” FileSystem=”*” DriveType=”*” | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval FreeSpaceGB=round(FreeSpaceKB/1024/1024) | search FreeSpacePct<10 TotalSpaceGB=”*” | dedup host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | table host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | sort FreeSpacePct

Continue Reading →