Solved: How to monitor and report the amount of data index...

feickertmd · ‎11-19-2014

How can I use Splunk to tell me how much data per day each host is forwarding to Splunk? Basically, I need a report that shows the host name and how much data it passed through the Splunk forwarder in bytes.

somesoni2 · ‎11-19-2014

This might help

index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0

View solution in original post

somesoni2 · ‎11-19-2014

This might help

index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0

feickertmd · ‎11-19-2014

This is good, but it gives the average per event. I need aggregate average per day.

I combined yours with the elements here: http://answers.splunk.com/answers/79026/average-count-by-day.html

That worked out nicely. Final query looks like this:
index=_internal sourcetype=splunkd group=per_host_thruput earliest=-1mon@mon latest=@mon | bucket _time span=1d | stats sum(kb) as total by series,_time | stats avg(total) as average by series |eval averageMB=round(average/1024,2) |fields - average |rename series as "Host Server",averageMB as "Average size per day in MB"

feickertmd · ‎11-20-2014

So while this report is nice, It shows only 31 hosts as belonging to the series field. We have 57 hosts overall. Why would I not see them all in this report?

MuS · ‎11-19-2014

Hi feickertmd,

use the license usage report for this, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/AboutSplunksLicenseUsageReportView

cheers, MuS

How to monitor and report the amount of data indexed per host?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk