I use Splunk to index the log files from several server, today I have to report the indexed log size everyday as a chart, data is only 1 week for reporting.
Anyone has idea for creating a query and make a chart
You can reference to default alerts in Splunk.
http://(your_server):8000/en-US/app/search/reports
Click "License Usage Data Cube"
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series
Will return data indexing informations
Thank @guilmxm, however there are no results found with group per_index_thruput
I'm sorry i think i misunderstood your question, as you seem to want to chart an indexed log file and not the index itself.
You could create a simple shell script that will output time, logfile name, and size, (script input) and index where you want, and then generates charts as you need
Thanks for your answer, I'm using Splunk 6, I see there is a feature named 'licenseusage' however the page was rendering with js. So I have to query for the information.
Hi,
You can use the following request to get the current index size (size in MB):
| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) | fields index, size_MB
At this point, you can schedule a savedsearch that will populates a summary index including a _time data extracted from the search time itself:
| eventcount summarize=false report_size=true index=*
| addinfo
| eval _time=info_search_time
| eval size_MB = round(size_bytes/1024/1024,2)
| fields _time,index,size_MB
And then finally generates chart based on this summary index.