I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back
From:
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
To:
index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)
But, with only:
index="main" source="WMI:WinEventLog:Security"
Brings back 2710 results from today.
I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....
↧