Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stored events per indexer graph?

PaulEscher
Explorer
‎05-06-2011 11:12 AM

On the summary page, under Global summary, there is an "Events indexed" number. I'd like to be able to see the number of events indexed per indexer over time.

Is there a daily summary number for indexed events per indexer?

This would show me if there is any missing data and also if the indexers are taking an equal number of events overtime.

Thanks,
Paul

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-06-2011 04:36 PM

You might consider using bytes indexed rather than the count of events if you're just looking for patterns and comparisons. Splunk records this in license_audit.log on each indexer each day:

index=_internal source=*license_audit.log | timechart span=1d sum(todaysBytesIndexed) as prevDaysBytesIndexed by splunk_server

If you must use the event count, you can use:

index=_internal source=*metrics.log "group=thruput" "name=index_thruput" | timechart span=1d sum(ev) as events by splunk_server

This is a somewhat more expensive search, though not really that bad.

Reply

PaulEscher
Explorer
‎05-06-2011 08:14 PM

Is the "Events Indexed" number telling me how many events were indexed up to that point, or the number of events that are indexed currently (as in the buckets and available for searching)?

I'd like to track that number, but per indexer, in the case of file corruption or something similar.

I'll try your second query and see what I get.

Thanks,
Paul

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎05-06-2011 02:13 PM

so, the search that populates that view is this: 

| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | stats sum(Count)

You can setup a saved search that writes to a summary index every night at 00:00
Then you will have single values for each 24 hour period and see how your data grows everyday.
Again, this will be number of events, so if you wanted to know actual size you would want to run other searches.

Hope this helps,

.gz

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-06-2011 04:27 PM

This has a couple of problems. First, it only shows a total, so you can only get daily counts by storing and computing the difference between runs. Second and more importantly, the metadata command does not split out counts by indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...