Suren
@suren Active 9 years, 2 months ago-
9 years, 2 months ago
Suren wrote a new post
index=_internal sourcetype=splunkd OR sourcetype=splunkd_access | stats latest(sourcetype) as sourcetype | eval sourcetypeidx=case(sourcetype=”splunkd”,2,sourcetype=”splunkd_access”,1) | rangemap […]
-
9 years, 2 months ago
Suren wrote a new post
How can I tell when Splunk is finished indexing a log file?
(Credit for this one goes to learnsplunk.com author who originally posted it on his website)
By watching data from splunk’s metrics log in […]
-
9 years, 7 months ago
Suren wrote a new post
index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status
###this query is to report on status code […]-
I Guess there is some confusion with The headings given and The code above/below them. They are mismatching.
-
-
9 years, 7 months ago
Suren wrote a new post
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
-
9 years, 7 months ago
Suren wrote a new post
eventtype=hostmon_windows Type=Disk host=”*” FileSystem=”*” DriveType=”*” | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval […]
-
9 years, 10 months ago
Suren became a registered member
Awesome query thanks for sharing! I ran this (slight modification of your query) and it was interesting to see the spike in throughput along with traffic patterns with our iis data source: index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”iis” | eval MB=kb/1024 | timechart sum(MB)