Getting Data In

How to create a chart of the total GB by source or sourcetype for a specific index?

fertlaloc
New Member

I'm new in Splunk, and I'm an autodidact. It's been a long time (years) since I have done anything with programming or commands, but Splunk, I like it.
In this moment, I have created an INDEX with around 90 sources and almost 100 Sourcetypes. My questions is, How to show the total GB by source or sourcetype for this specific INDEX? My Splunk instance has more sources and indexes.

gracias a todos amigos

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)

View solution in original post

0 Karma

ddrillic
Ultra Champion

Hola,

You can also view the index sizes from the replication server, under Settings > Indexer clustering > Indexes -

alt text

Hasta luego

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)
0 Karma

fertlaloc
New Member

Thank you, was succesful, see you

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...