Are my Collectors ingesting data

Follow

Mario Sanchez

• May 27, 2017 00:33
• Edited

This query will help you determine and Alert when Collectors haven't ingested data for an hour. Notice that you must have Data Indexing enabled.

 _index=sumologic_volume 
| where _sourceCategory="collector_volume" 
| parse regex "\"(?[^\"]*)\"\:\{\"sizeInBytes\"\:(?\d+),\"count\"\:(?\d+)\}" multi 
| timeslice 1h | bytes/1024/1024/1024 as gbytes 
| sum(gbytes) as gbytes by collector, _timeslice 
| where gbytes < 0.00001

0

• 

  Training Labs

  • April 17, 2018 10:10

  i am getting an error while giving these query!!

  Error: "No capture group found in regex, regex=""(?[^"]*)"\:\{"sizeInBytes"\:(?\d+),"count"\:(?\d+)\}". An example of a valid "extract" usage is [extract "From: (?<from>.*) To: (?<to>.*)"]"

  0

  Comment actions Permalink
• 

  Artur Paprzycki

  • May 25, 2018 14:42

  Try this:

  
  _index=sumologic_volume
  | where _sourceCategory="collector_volume"
  | parse regex "\"(?<collector>[^\"]*)\"\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
  | timeslice 1h | bytes/1024/1024/1024 as gbytes
  | sum(gbytes) as gbytes by collector, _timeslice
  | where gbytes < 0.00001

  0

  Comment actions Permalink

Please sign in to leave a comment.