[ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*
| eval gb=len(_raw)/pow(1024,3)
| timechart span=1d sum(gb)
0 comments
[0]
[0]
[0]
[0]
index=_internal tcpouteloop "connected to idx" | stats count by idx
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd *phonehome* component=DC* | stats latest(_time) as _time, latest(_raw) as _raw by host
0 comments
[0]
[0]
[0]
[0]
| tstats count where index=* by _time, _indextime, sourcetype | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by sourcetype
0 comments
[0]
[0]
[0]
[0]
| tstats count where index=* by _time, _indextime, index | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by index
1 comment
[0]
[0]
[0]
[0]
index=* | stats count by _raw, index, sourcetype, source, host | where count>1
0 comments
[1]
[0]
[1]
[0]
index=* | stats count by _raw, index, sourcetype | where count>1 | stats values(sourcetype) as sourcetype by index
0 comments
[1]
[0]
[1]
[0]