We can figure this out:
By watching data from Splunk’s metrics log in real-time:
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="<your_sourcetype_here>" |
eval MB=kb/1024 | chart sum(MB)
By watching everything split by source type:
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
If we are having trouble with data input and we want a way to troubleshoot it, particularly if our whitelist/blacklist rules are not working the way we expected, we will go to the following URL:
