View how much data is ingested in Splunk SOAR (On-premises) using ingestion summary
The ingestion summary page provides a summary of container and artifact ingestion over time and currently scheduled periodic ingestions. Use the Ingestion Summary page to get a broad view of how much data is coming into Splunk SOAR (On-premises) and how that amount is trending over time.
Perform the following steps to view ingestion summary details:
- From the Home menu, select Administration.
- Select System Health, then Ingestion Summary.
- Specify a time range that you want to view. Choose from the last 24 hours (default), 7 days, or 30 days.
The Ingestion Summary table shows a line chart with the total number of successful and failed artifact and container ingestions across all Data Sources and ingestion methods.
The Scheduled Ingestion table lets you track the configuration of all Data Sources that currently have scheduled polling enabled and includes the following columns:
- Time: Date and time when that Data Source was last set to enable scheduled polling.
- Interval/Schedule: How often that Data Source is scheduled to poll.
- Container: Label that will be applied to containers ingested from that Data Source.
- Asset: Name of the Data Source asset.
- App: Name of the Data Source app.
- Action: Name of the action that will be used to ingest data.
The Success counts in the graph are calculated based on these factors:
| Included in Success count | Not included in Success count |
|---|---|
| Polling action itself | REST action itself, when using REST instead of polling |
| Containers ingested | Containers deleted |
| Artifacts ingested | Artifacts deleted |
For example, an on_poll action that resulted in 4 containers and 4 artifacts would have a success count of 9: 1 for the on_poll itself + 4 containers ingested + 4 artifacts ingested