Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Estimate input throughput

Starting with the Splunk Add-on for CloudStrike FDR version 1.2.0, new logs allow estimation of throughput per each running ingesting modinput separately.

You can use the search over _internal index index="_internal" sourcetype="crowdstrike_fdr_ta*" "Sent to pipeline:". This search tells you:

  • The bucket file being ingested.
  • The number of unpacked bytes ingested from this file in messages satisfying the selected filter. For example:

Sent to pipeline: cs_input_stanza=simple_consumer_input://si, cs_bytes_sent=607440001, cs_file_path=s3://crowdstrike-generated-big-batch-us-west-2/data/d811c19e-7729-4c9b-abb8-357d539aa4a0/part-00063.gz

  • Splunk automatically extracts meaningful fields like cs_input_stanza, cs_bytes_sent and cs_file_path.
  • Splunk instantly creates time charts showing per input ingestion rates like in following example:

index="_internal" sourcetype="crowdstrike_fdr_ta*" "Sent to pipeline:" | eval throuhgput_gb=cs_bytes_sent/1024/1024/1024 | timechart span=1h sum(throuhgput_gb) by cs_input_stanza

Last modified on 14 December, 2023
PREVIOUS
Crowdstrike FDR data volumes 		  NEXT
CIM extractions

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters