![]() ![]() However, the local indexers and heavy forwarders still have the sourcetype=splunkd, group=per_sourcetype _ thruput, and source=/opt/splunk/var/log/splunk/metrics.log . I work in Lehi, Utah and those metrics are collected and stored in Boise, Idaho (where I do not have the access to query). I know some of you will tell me that the metric is already provided by Splunk, but you do not know my environment. I was trying to make an ingestion metric by sourcetype. Then someone can correct me or tell me that I have a defective Splunk or something like that: OK, so I figured out what was going on and I'd like to explain. Hope this is enough information to clearly understand the problem. ![]() Help me! I'm drowning.īe gentle, this is my first discussion topic. I can run the two separately, extract the data into excel and do a vlookup to get the results I want, but I need this to be in the report/search. which I think worked, but still didn't tell me which index applied to each sourcetype. I even just tried to use the second search as a subsearch of the first search to limit the sourcetypes to ONLY the ones returned in the tstats search. I tried to use join with the max=0 and type=inner and it only returned a handful of rows (less than 1000) and only for a few of the index/sourcetype combinations. I tried to use appendcols and the number of rows between the first search and the second search don't match, so only the first handful of rows get an index and the index doesn't match up with the sourcetype. I tried to use append and it just adds the additional sourcetype/index rows below the actual results (not as a new column). I want to join these results to make a single table of: Results: (example - roughly 86 rows returned) | tstats count where (index=BlackPearl OR index=Tortuga OR index=Swashbuckler) by index, sourcetype | table sourcetype, index IMPORTANT: The index of all of these is " _internal", not the actual index that the source data comes from. Index="_internal" source="*metrics.log" per_index_thruput series=autoshell host=lelsplunkix* | eval GB=kb/(1024*1024) | timechart span=12h sum(GB) as GB by series The two searches I would like to join are: And I've been through the pages reviewing the subsearch, append, appendcols, join and selfjoin. But this discussion doesn't have a solution. ![]() The closest discussion that looks like what I am shooting for is: How to join two searches on a common field where the value of the left search matches all values of. If there is one that works for this issue, please simply direct me to the correct discussion. If you search sourcetype=linux_syslog, events from both of those sources are returned.I have read through almost every Join label topic on the Splunk Community page and I don't seem to see one that fits my problem. The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.Įvents with the same source type can come from different sources, for example, if you monitor source=/var/log/messages and receive direct syslog input from udp:514. The source is the name of the file, stream, or other input from which a particular event originates. Source and source type are both default fields, but they are entirely different otherwise, and can be easily confused. the type of the sources will be the sourcetype.įor example, you can add data from /var/log/messages to splunk. a system log file, an app log files, lookup files, etc.Ģ) Which are the sources type of the event? The same question. 1) Which are the sources of the event?Simulate me some real situations.Įvent source can be anything. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |