Investigate a data entity
This topic describes the elements of the Investigate page.
Use the Investigate page to monitor total ingestion including ingestion trends over a period of time. For example, if you notice a sudden spike in total data volume, you can investigate further by navigating to the Ingestion metrics dashboard to look at volume metrics at a more granular level and identify which data sources are contributing to the spike. You can then click the "Investigate" link for the data entity that you wish to review.
| Field | Description |
|---|---|
| Total event count | The total count as well as the trend of total number of events ingested for the time ranges specified in the Time and Compare to fields. For example, an increase in total events by 20% indicates that the event count metric for the current time range specified in the Time field has increased 20% compared to the time range specified in the Compare to field. |
Total volume |
Total volume ingested as well as the trend of ingestion volume for the time ranges specified in the Time and Compare to fields. For example, an increase in volume by 20% indicates that the total volume metric for the current time range specified in the Time field has increased 20% compared to the time range specified in the Compare to field. |
Latest latency | Shows the most recent latency for the time ranges and entity types specified, which is calculated as the time between when an event was generated and when it was indexed in Splunk. |
Event count over time |
A line graph that demonstrates the trend of total number of events ingested for the time ranges specified for the selected index and source type. This trendline breaks down the trend described in the Total events panel. |
| Volume over time | A line graph of data volume that demonstrates the trend of ingestion volume for the time ranges specified in the Time field and Compare to field. This trendline breaks down the trend described in the Total volume panel. |
| Latest latency over time | A line graph of data volume that demonstrates the trend of latency time for the time ranges specified in the Time field and Compare to field. Latency is calculated as the time between when an event was generated and when it was indexed in Splunk. |
| Latest and first ingestion |
Shows data for ingestion times and provides the following details:
|
| Latest event time | The timestamp for the latest event. |
| Field | Description |
|---|---|
| View by | You can search by any combination of the following: * Index * Source type * Host * Source |
| Metric | Select the metrics you want to view, you can select one of the following metrics:
|
| Field | Description |
|---|---|
| Host/Source type/Source/Index | The name of the host, source type, source, or index. Which of these columns you see depends on what you selected in the View by field. The table columns at the bottom depend on the values you select in the filters above. For example, if the index is index1, source type is st1, host is "All hosts" and source type is "All source types", the table displays the host and source columns. If you change source type to "All source types", the table will render again and will display three columns: source types, host, and source |
| Event count | Number of events ingested for selected Time. |
| Event count trendline | Trendline of event count changes for the current period as selected in the Time field. |
Event count change | Shows the event count ingestion difference in percentage. |
| Current volume |
Volume of data ingested for a data entity during the selected Time range. |
| Current volume trendline | Trendline for the current period as selected in the Time field. |
Volume change | Shows the volume ingestion difference in percentage. |
| Latest latency | Shows the latency for the last index time. |
| Latest event time | Shows the timestamp for the last event that was ingested. |
| Latest index time | The index time for the last successful saved search |
| Action | Click Add filter to drill down for the specific entity. |