Reporting

How can I statistic daily indexed log size

ndkhoiits
Explorer

I use Splunk to index the log files from several server, today I have to report the indexed log size everyday as a chart, data is only 1 week for reporting.

Anyone has idea for creating a query and make a chart

Tags (3)
0 Karma

sunrise
Contributor

You can reference to default alerts in Splunk.

http://(your_server):8000/en-US/app/search/reports
Click "License Usage Data Cube"

0 Karma

guilmxm
SplunkTrust
SplunkTrust
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series

Will return data indexing informations

0 Karma

ndkhoiits
Explorer

Thank @guilmxm, however there are no results found with group per_index_thruput

0 Karma

guilmxm
SplunkTrust
SplunkTrust

I'm sorry i think i misunderstood your question, as you seem to want to chart an indexed log file and not the index itself.

You could create a simple shell script that will output time, logfile name, and size, (script input) and index where you want, and then generates charts as you need

0 Karma

ndkhoiits
Explorer

Thanks for your answer, I'm using Splunk 6, I see there is a feature named 'licenseusage' however the page was rendering with js. So I have to query for the information.

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi,

You can use the following request to get the current index size (size in MB):

| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) | fields index, size_MB

At this point, you can schedule a savedsearch that will populates a summary index including a _time data extracted from the search time itself:

| eventcount summarize=false report_size=true index=*
| addinfo
| eval _time=info_search_time
| eval size_MB = round(size_bytes/1024/1024,2)
| fields _time,index,size_MB

And then finally generates chart based on this summary index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...