Page 1 of 1
quick question
Posted: Mon Aug 12, 2019 1:55 pm
by benhank
guys how to I get the answers for the following questions from my log server:
1. How much data traffic is going in and out on a daily?
2. What is the exact type of data per host that is being logged?
Re: quick question
Posted: Mon Aug 12, 2019 4:43 pm
by cdienger
You can see the size of each day's index under Admin > System > Cluster Status and you can find the type of data a host is sending by adding a term panel that displays the type field. See attached screenshot. Does this help get you what you need?
Re: quick question
Posted: Mon Aug 12, 2019 5:56 pm
by benhank
well sorta but its mostly a question of the actual log server itself.
How do I find out how many windows eventlogs are being sent to the server as well as the syslogs.
Also how much throughput does each type of logs consume?
or to rephrase
how many servers are sending windows eventlogs to my log server or how many devices are sending syslogs and how much bandwith is being used by each type.
Re: quick question
Posted: Tue Aug 13, 2019 10:56 am
by cdienger
Switching the term filed to host will show the unique hosts. Getting a count though would need to be done from the command line. For example, a count of unique hosts that sent syslog data for the last day:
Code: Select all
curl -XGET 'http://localhost:9200/_all/_search?q=type:syslog&pretty' -d '{
"aggs" : {
"clients" : { "cardinality" : { "field" : "host.raw" } }
},
"query":{
"range" : {
"date" : {
"gte" : "now-1d",
"lte" : "now"
}
}
},
"size": 999
}'
The amount of bandwidth being used by each is a bit trickier. The best way I can think of to measure this would be look at the size of results returned by a query for each. The default 'All Events' panel has an 'Export as CSV' option that you can use to export the results and compare.
Re: quick question
Posted: Tue Aug 13, 2019 3:45 pm
by benhank
Hey thanks man! you can lock it