Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Total number of indexed volume per day

apro
Path Finder
‎06-21-2010 08:18 AM

Hi,

Currently I have a splunk server receiving logs from few servers.

I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.

This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

View solution in original post

Reply
Solved! Jump to solution

apro
Path Finder
‎06-25-2010 06:18 AM

Some updates,

I am scheduling this search(Daily Indexed Volume) now:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎02-11-2013 08:47 AM

Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-24-2016 03:46 PM

another query posted and another that doesnt work.. for me anyway.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-24-2010 06:01 AM

Hi, have created new question here ->

http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume

thanks.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎06-23-2010 03:11 PM

I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-23-2010 10:10 AM

Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...