SPL
Universal Forwarder Throughput Limit Hit Count
Description
This search counts the amount of times the UF's throughput limit is hit. I also threw in a sparkline:
3 0
index=_internal sourcetype=splunkd "current data throughput" | rex "Current data throughput \((?<kb>\S+)" | eval rate=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, rate | where Count > 4 | rename host as "Host" rate as "Throughput rate(kb)" count as "Hit Count"| sort -"Throughput rate(kb)",-Count
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.