Too many indexed bytes reported

rschutt · ‎01-04-2012

I'm running the following search:

index="_internal" source="*license_usage.log"

The problem is that all hosts report received bytes, eventhough there are no events received. The lowest number I have seen is 134 bytes (b=134). Does anyone know why I see these and how I can report on the real number of indexed bytes? Thanks!

rschutt · ‎01-06-2012

The strange thing is that I tested the same on another deployment and on this I won't get any of these entries in license_usage.log if no events occur, which is what I expected. On the initial deployment I see every minute a new event in license_usage.log with "h" being my forwarder and "b" always showing at least 134 bytes, eventhough I cannot find any events from this forwarder. So where are these bytes going? I should see them in any of the non-internal indexes, right?

yannK · ‎01-04-2012

you need to group per source sourcetype host indexer, (s/h/st/i) to have useful numbers.
You can check the examples of searches on license_usage there :
http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

joshd · ‎01-04-2012

I've listed some searches on my blog to show the license breakdown by source, sourcetype, host, per index statistics and so on... I would start with running these various searches to narrow down where the actual culprit is...

http://www.joshd.ca/content/splunk-usage-statistic-searches

I would also suggest downloading and using the Splunk Deployment Monitor app as it can provide a wealth of information:

http://splunk-base.splunk.com/apps/22301/splunk-deployment-monitor

Too many indexed bytes reported

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...