Splunk search for Times UF hits throughput limit

index=_internal sourcetype=splunkd "has reached maxKBps" | rex "Current data throughput \((?<kb>\S+)" | eval throughput=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, throughput | where Count >= 1 | rename host as "Host" throughput as "Throughput rate(kb)" count as "Hit Count"| sort -"Throughput rate(kb)",-Count
This Splunk search will list the number of times that a Universal Forwarder has hit it's throughput limit. You can adjust the thruput limit by modifying the limits.conf 'thruput' stanza on the universal forwarder in question.


General Splunk


Admin general universal forwarder

Search Commands:

Sign in or Register to submit a comment