icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Splunk End User License for Third Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Indexing Insights
SHA256 checksum (indexing-insights_141.tgz) 4714980873babf7e17496f4acbf8e118faf3ef0b84d71086f3f975b3d5dccaf9 SHA256 checksum (indexing-insights_140.tgz) 71ba001374b45b2150354aa3b3c2870eb4ae0e2e7a52621468dac85194b6a44c SHA256 checksum (indexing-insights_130.tgz) a13fab73f66a62ac7c4a61bc2845605d7299f2589280b5501099e7c4bd99fb7c SHA256 checksum (indexing-insights_120.tgz) a8ef279e51fad01fed60f4a9db8688be70a162c4c1e843c770cd85d6b8364326 SHA256 checksum (indexing-insights_112.tgz) 44f4eab5bd2505abbaba7a53d19831a74e3fae4cc34ccb9cdca2236765dbbe5e SHA256 checksum (indexing-insights_110.tgz) 409faccf1fe8db8fbd23e4c1d9ecb87e31962aa01aea33002346d8327f3533f7 SHA256 checksum (indexing-insights_101.tgz) c013c6be95a7c5d17b7f0c9e18943960244c8891ec97dd5020b0a6cb08925480
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Indexing Insights

Splunk Cloud
Overview
Details
The Indexing Insights app provides insights into your event indexing with the focus on discovering anomalous behavior. This app consists of a number of saved searches that summarize information about your Splunk environment, and a dashboard to explore the summarized data. The main features of this app are as follows.

* Visualizations to see how much data has been indexed for a given day compared to the past.
* Visualizations to see the count of indexed events for a given day compared to the past.
* The ability to drill down to explore the hosts where anomalous behavior might be occurring.

Important

Make sure to read the installation instructions. If you do no follow the instructions when you install the app you will not see anything in the dashboard. This app is not driven on live data but rather summarized data via scheduled reports. You will only see data from the point that you enable the shceduled searches going forward unless you use the backfill dashboard to create scripts to backfill the summarizations.

Installation Instructions

Standalone Environment

  1. Install the app.
  2. Enable the schedule for these saved searches.
    • Summary Report Indexed Bytes
    • Summary Report Indexed Bytes by index
    • Summary Report Indexed Bytes by sourcetype
    • Summary Report Indexed Count
    • Summary Report Indexed Count by host
    • Summary Report Indexed Count by index
    • Summary Report Indexed Count by index host
    • Summary Report Indexed Count by sourcetype
    • Summary Report Indexed Count by sourcetype host
    • Summary Report Windows EventCode Counts
    • Summary Report Windows EventCode Counts by host
    • Summary Report Summary Timings
  3. Every five minutes the summary report searches will run and start to populate the data for the dashboard. Since the dashboard relies on the summary report data you will not see anything actionable for at least a week. Many of the panels compare data over the last five weeks, so it will not be fully usable for at least 5 weeks. There is a secondary dashboard in the app called Backfill Generator that can be used to create shell scripts that will backfill the data so that the dashboard can be used sooner than five weeks.
  4. If you would like to only have the app scan a subset of your data you can edit the indexing_insights_indexes macro. By default the app will scan all the non-internal indexes.
  5. If you would like to specify which index the summarized data will be saved to you can edit the indexing_insights_summary_index macro. By default all the data is saved to the summary index.

Distributed Environment

  1. Install the app on a server for collecting the summary data.
  2. Enable the schedule for these saved searches. Make sure to only enable them on one Splunk server. I would suggest the license master.
    • Summary Report Indexed Bytes
    • Summary Report Indexed Bytes by index
    • Summary Report Indexed Bytes by sourcetype
    • Summary Report Indexed Count
    • Summary Report Indexed Count by host
    • Summary Report Indexed Count by index
    • Summary Report Indexed Count by index host
    • Summary Report Indexed Count by sourcetype
    • Summary Report Indexed Count by sourcetype host
    • Summary Report Windows EventCode Counts
    • Summary Report Windows EventCode Counts by host
    • Summary Report Summary Timings
  3. If you want to view the dashboard on another server, such as a search head, install the app there as well but do not enable the saved searches.
  4. Every five minutes the summary report searches will run and start to populate the data for the dashboard. Since the dashboard relies on the summary report data you will not see anything actionable for at least a week. Many of the panels compare data over the last five weeks, so it will not be fully usable for at least 5 weeks. There is a secondary dashboard in the app called Backfill Generator that can be used to create shell scripts that will backfill the data so that the dashboard can be used sooner than five weeks. I would suggest running the shell scripts on the same server where you enabled the saved searches.
  5. If you would like to only have the app scan a subset of your data you can edit the indexing_insights_indexes macro. By default the app will scan all the non-internal indexes.
  6. If you would like to specify which index the summarized data will be saved to you can edit the indexing_insights_summary_index macro. By default all the data is saved to the summary index.

Third Party Software

Release Notes

Version 1.4.1
March 6, 2023
  • Fixed a bug where the date_time_seconds field was being evaluated as a string rather than a number.
Version 1.4.0
March 3, 2023
  • Added a macro to specify which index to store the summarized report in. The scheduled reports, the indexing dashboard, and the backfill dashboard all look to the new macro now. The macro is indexing_insights_summary_index and the default value is "summary".
Version 1.3.0
Feb. 27, 2023
  • Added a summary report for search timings to make the search timings graphs faster.
  • Updated the graph on the Search Timings tab and split it into separate panels.
  • Fixed issue with the time pickers on backfill generator dashboard that caused single digit seconds to clear the date/time field.

Note
With this release you will need to enable the schedule on the new summary report called "Summary Report Summary Timings". It is disabled by default. If you do not enable it you will not see anything on the Search Timings tab.
Version 1.2.0
Feb. 17, 2023
  • Added macro to define which indexes to include in the reports. The default is * (all non-internal indexes).
  • Added the ability to include or exclude the filters in the overview comparisons. Previously it was just include. Basically, this allows you to invert the filter logic.
  • Updated the saved searches to use the new macro. This addresses an issue if only certain indexes are set as default for user roles then the other indexes will not fall into the search.
  • Updated the backfill dashboard to use the new macro. This addresses an issue if only certain indexes are set as default for user roles then the other indexes will not fall into the search.
  • Updated the bytes field in the pie charts on the ingest tab. Renamed it to gb.
Version 1.1.2
Feb. 14, 2023
  • Fixed issue with 8.x and limiting the time picker
Version 1.1.0
Jan. 24, 2023
  • Added annotations to column charts for event count drilldowns
Version 1.0.1
Jan. 23, 2023
  • Initial release
1,430
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Davin Studer
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud
Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent
Licensing
Splunk End User License for Third Party Content
Category & Contents
Categories: IT Operations, SIEM
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2024 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.