I'm new in Splunk, and I'm an autodidact. It's been a long time (years) since I have done anything with programming or commands, but Splunk, I like it.
In this moment, I have created an INDEX with around 90 sources and almost 100 Sourcetypes. My questions is, How to show the total GB by source or sourcetype for this specific INDEX? My Splunk instance has more sources and indexes.
gracias a todos amigos
Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.
For license usage by source
index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)
For sourcetypes
index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)
Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.
For license usage by source
index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)
For sourcetypes
index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)
Thank you, was succesful, see you