By watching data from SPLUNK’s metrics log in real-time.
index=”_internal” SOURCE=”*metrics.log” group=”per_sourcetype_thruput” series=”<your_sourcetype_here>” |
eval MB=kb/1024 | chart sum(MB)
or to watch everything happening split by sourcetype….
index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
And if you’re having trouble with a data input and you WANT a way to troubleshoot it, particularly if your whitelist/blacklist rules aren’t working the way you expect.

By watching data from splunk’s metrics log in real-time.
index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”<your_sourcetype_here>” |
eval MB=kb/1024 | chart sum(MB)
or to watch everything happening split by sourcetype….
index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
And if you’re having trouble with a data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules aren’t working the way you expect.