Splunk Search for Sourcetypes that are Being Truncated Copy
index=_internal sourcetype=splunkd "truncating line" | rex field=_raw "line length\s+>=\s+(?<length>\d+)" | search length=* | stats max(length) as length, count by data_sourcetype
0 comments
Splunk Search for Indexes With High Indexing Lag Time Copy
| tstats count where index=* by _time, _indextime, index | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by index
1 comment