Jump to content

Recommended Posts

Here you will find some examples of how to utilize splunk in different ways.

Example of how to find all hostnames and source files that are reporting data for a sourcetype

index=* sourcetype="f5:bigip:syslog" hostname="*" | stats count by hostname host source

This example will show you hostname - source and what are the stats per device so you can identify if all your devices are reporting to splunk as you thought.  Also what devices are reporting a lot of data (maybe debug is turned on).

Another pretty quick query that I prefer is this one

|  tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index="*" sourcetype="f5:bigip:syslog" by host sourcetype
|  fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
|  fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")

 

Link to post
Share on other sites
×
×
  • Create New...