Infrastructure Queries
Infrastructure queries retrieve statistical information about the LogLogic LMI data, for example, its configuration, or data ingested into LogLogic LMI, and so on.
With infrastructure queries you can find things like the amount of data that has been ingested and indexed over time, in one-hour buckets. These queries work in the same way as other queries, except where indicated.
Infrastructure queries are not necessarily related to log events and do not contain an event time-stamp column, which other data models do. As a result, a Time value need not be specified within infrastructure queries. If you use the time value in the Time field rather than embedding the time span explicitly in the query, then you must delete the value from the time blok field to successfully execute an infrastructure query.
Query for Fetching the Data Ingested
Query Name:
use LogLogic_System_Ingest_And_Index_StatsThe following fields are returned in the search results:
| Field | Description |
|---|---|
| lls_time | Time period to be queried |
| lls_ingestBytes | Number of data bytes ingested during the specified time period |
| lls_indexBytes | Number of bytes indexed during the specified time period |
| lls_indexSizeDelta | Change in size of the physical disk space consumed by the index |
| lls_indexMsgCount | Number of messages indexed |
| lls_ingestMsgCount | Number of messages ingested |
Description:
The data ingest count represents when the files get collected by the system, whereas the index count represents when those files (or, in the case of large pulled files, parts of those files) are actually indexed.
If a large amount of data is ingested in one hour, most of it might get indexed in the following hour, resulting in a higher index count than the ingest count for that hour.
In a relatively quiet system, the data ingest count is only updated periodically, whereas the index count is updated when a file is indexed. Therefore, the index count might get updated before the data ingest count. As a result, the index count might be more than the data ingest count for the most recent hour.
Therefore, for up-to-date values, check the count shortly after the end of any particular hour.
Examples
- USE LogLogic_System_Ingest_And_Index_Stats
returns the results in one-hour buckets.
- USE LogLogic_System_Ingest_And_Index_Stats | COLUMNS lls_time, lls_ingestBytes / 1024.0 / 1024.0 / 1024.0 AS IngestGB, lls_indexBytes / 1024.0 / 1024.0 /1024.0 AS IndexGB
returns the results in GB size unit.
- USE LogLogic_System_Ingest_And_Index_Stats | COLUMNS DAYS(lls_time) as myTime, SUM(lls_ingestBytes ) / 1024.0 / 1024.0 / 1024.0 AS IngestGBPerDay, SUM(lls_indexBytes ) / 1024.0 / 1024.0 / 1024.0 AS IndexGAPerDay| GROUP BY DAYS(lls_time)
returns the result in statistics data in one-day buckets in GB size unit.