-
-
Save nicksan2c/3ceb9d071291c439c0e8ec02620161dc to your computer and use it in GitHub Desktop.
Splunk Summary Indexing
Licence Usage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [debug_log_transform] | |
| REGEX=DEBUG\s[ | |
| DEST_KEY = queue | |
| FORMAT = nullQueue | |
| Link https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| >Create on | |
| index=idx_swg_web_pro (*.facebook.com OR *.fbcdn.net) | eval GB_traffic=(trsize/1024/1024/1024) | sitimechart span=15m sum(GB_traffic) as traffic | |
| >sheduled and add field report for better index filtering. | |
| >Search on | |
| index=summary (report="swg_facebook_usage" OR report="swg_blick_usage" OR report="swg_youtube_usage_by_category") | timechart span=15m sum(GB_traffic) by report | rename swg_facebook_usage as "Traffic in GB for Facebook", swg_blick_usage as "Traffic in GB for Blick", swg_youtube_usage_by_category as "Traffic in GB for Youtube" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | eval st_idx = st.": ".idx | timechart span=1d sum(MB) by st_idx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Subsearch delivers Results to Mainsearch | |
| index=idx_fwloggrabber_dev sourcetype=opsec rule_name="clean*" [search index=idx_fwloggrabber_dev sourcetype=opsec rule_name="clean*" | top service limit=3 | fields service | format] | top dst limit=20 | |
| watch for the format commando |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment