Skip to content

Estimate input throughput

Starting with the Splunk Add-on for CloudStrike FDR version 1.2.0, new logs allow estimation of throughput per each running ingesting modinput separately.

You can use the search over _internal index index="_internal" sourcetype="crowdstrike_fdr_ta*" "Sent to pipeline:". This search tells you:

  • The bucket file being ingested.
  • The number of unpacked bytes ingested from this file in messages satisfying the selected filter. For example:

Sent to pipeline: cs_input_stanza=simple_consumer_input://si, cs_bytes_sent=607440001, cs_file_path=s3://crowdstrike-generated-big-batch-us-west-2/data/d811c19e-7729-4c9b-abb8-357d539aa4a0/part-00063.gz

  • Splunk automatically extracts meaningful fields like cs_input_stanza, cs_bytes_sent and cs_file_path.
  • Splunk instantly creates time charts showing per input ingestion rates like in following example:

index="_internal" sourcetype="crowdstrike_fdr_ta*" "Sent to pipeline:" | eval throuhgput_gb=cs_bytes_sent/1024/1024/1024 | timechart span=1h sum(throuhgput_gb) by cs_input_stanza