Solved: Query for indexing volume (for last 7 days)

balbano · ‎10-04-2011

Hi,

I would like to modify this query:
index=_internal group="per_index_thruput" | eval mb=kb/1024| timechart span=1d sum(mb) by series

Basically I want to include only indexes that apply to actual license volume and I would like to be able to add a field showing total volume based on the indexes that returned on the query.

I know this is probably a stupid question that has been asked over and over and this use to be available in Splunk 3.x I believe.

Let me know.

Thanks.

Brian

balbano · ‎10-04-2011

index="_internal" group="per_index_thruput" | search series!="_audit" | search series!="_internal"| eval mb=kb/1000 | timechart span="24h" sum(mb)

View solution in original post

wrangler2x · ‎03-21-2013

Here is another way that shows you by index and puts a total at the bottom:

index=_internal source=*metrics* group=per_index_thruput series!="_*" earliest=-24h | rename series as index | eval MB = round(kb/1024,3) |stats sum(MB) as MB by index | where MB >= 1 | sort -MB | addtotals col=true row=false

If you remove 'earliest=-24' then you can have it use the time-frame you set in the drop-down box.

balbano · ‎10-04-2011

index="_internal" group="per_index_thruput" | search series!="_audit" | search series!="_internal"| eval mb=kb/1000 | timechart span="24h" sum(mb)

balbano · ‎10-04-2011

nevermind, this works for me:

index="_internal" group="per_index_thruput" | search series!="_audit" | search series!="_internal"| eval mb=kb/1000 | timechart span="24h" sum(mb)

Query for indexing volume (for last 7 days)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!