Splunk® Enterprise

Monitor and Troubleshoot ingestion

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Working with the Data monitoring dashboard

Select your data

Select a Time and a Compare to time. This compares the time defined in the Time field with the same time window for the day defined in the Compare to window. For example, a Compare to time of "7 days" will compare ingestion to data ingested at the same time seven days ago.

Compare to Select the past time frames that you want to compare to the selected Time value:
None Will not locate any comparison data. No comparison data will be returned in your search summary.
1 day ago Compares the data for the time defined in the Time field to data ingested at the same time one day ago.
7 days ago Compares the data for the time defined in the Time field to data ingested at the same time seven days ago.
14 days ago Compare the data for the time defined in the Time field to data ingested at the same time 14 days ago.
30 days ago Compare the data for the time defined in the Time field to data ingested at the same time 30 days ago.


View your data

Once you select your time fields, you can view an overview of your data ingestion in the "Overview" tab, and data volume information in your "Data volume" tab.


Overview

The Overview tab provides the following information:

Total volume Total volume ingested
Volume over time Total volume for your data over the selected time as well as a line graph of your data volume over time.
Top data entities The Top data entities section displays line graph data for the entities with your selected parameters.

To view the data for your selected entities in the "Top data entities" section, select the types of data you wish to view in the View by field. You can search by any combination of the following:

  • Index: Search for data by Index.
  • Source type: Search for data by source type.
  • Host: Search for data by host.
  • Source: Search for data by Source

Volume tab

The Volume tab provides the following information. Not that some data may be squashed, for more information about squashing, see About metrics in the Data Monitoring dashboard.

View by Select the types of data you wish to view in the View by field. You can search by any combination of the following:
  • Index: Search for data by Index.
  • Source type: Search for data by source type.
  • Host: Search for data by host.
  • Source: Search for data by Source
Data entities with ingestion The number of entities that ingested data during the Time window.
Data entities with no ingestion Data entities with ingestion during the Compare to time but not during the selected Time.
New data entities Data entities with ingestion during the selected Time but not during the Compare to time.
Search field Enter search criteria you want to use to locate data entities. For example, you can search for an index called "firewall" by adding that as a search term in the Search field. You can search for indexes, source types, sources, or hosts.
Filter field (Optional) (Optional) In the Filter field, select one of the following:
  • All data entities (default)
  • Data entities with ingestion
  • Data entities with no ingestion
  • New data entities
Results table The results table shows the following information:
  • Entity: Identifier for the data being shown. The column title will change based on the type of data you select in the View by field. The default values in the View by field are index and source type.
  • Current volume: Volume of data ingested for a data entity during the Time window.
  • Volume comparison: Shows the volume ingestion difference in percentages. For example, if ingested data is 100GB in the last four hours, and the data ingested for the selected Compare to time ingested one week ago is 200GB the dashboard reflects a 50% decline.

If the dashboard displays "NA", this means the entity is new and there is no data in the Compare to time period. The Volume comparison column only exists when you select a Compare to period.

Action To further investigate an item, click "Investigate". See Investigate a data entity for more information.

Investigate a data entity

Use the monitoring dashboard to monitor total ingestion including ingestion trends over a period of time. For example, if you notice a sudden spike in total data volume, you can investigate further by navigating to the "Data Volume" dashboard where you can look at volume metrics at a more granular level to identify which data sources are contributing to the spike. In the Data investigation dashboard, click the "investigate" link for the data entity that you wish to review. Use the following search fields to refine your data:

Time Select the Time for summary comparison. When you are investigating an entity, you don't have to re-select all the options again, selections carry over from the previous screen for that data entity.
Compare to: Select the past time frames that you want to compare to the selected Time.
None Do not locate any comparison data. No comparison data will be returned in your search summary.
1 day ago Compare the base data to data received one day ago.
7 days ago Compare the base data to data received one day ago.
14 days ago Compare the base data to data received 14 days ago.
Index Choose an index that you want to investigate further.
Source type Choose a Source type that you want to investigate further.
Host Choose a host that you want to investigate further.
Source Choose a source that you want to investigate further.



You can view the following information:

Total volume Total invested volume for selected time.
Latest event time The "_time" for the last event ingested for a data entity.
Latest index time "_index time" for the last event indexed for a data entity.
Volume over time A line graph of data volume over the time for the selected Time and Compare to time.

In the "View Breakdown" table, you can select one or more data entity to further investigate. The following data is provided for the selected entities:

Host/Source type/Source/Index Identifier for the data being shown, if a host was selected. What you see depends on what you selected in the View by field. The table columns at the bottom depend on the values you select in the filters above. For example, if the index is index1, sourcetype is st1, host is "All hosts" and sourcetype is "All sourcetypes", the table below will display the host and source columns. If you change sourcetype to "All source types", the table will render again and will have three columns - sourcetypes, host, and source.
Current volume Volume of data ingested for a data entity during the Time window.
Volume comparison Shows the volume ingestion difference in percentage.
Current volume trendline Trendline for the current period as selected in the Time field.
Action Click Add filter to drill down for the specific entity.
Last modified on 23 January, 2025
How to stop scheduled searches  

This documentation applies to the following versions of Splunk® Enterprise: DataMonitoringAppPreview

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters