I am looking for the search that is used to calculate the indexing volume under the status tab in the search app.
I think the data comes from the index=_internal source="*license_usage.log"
I can't get the math right I am using | eval mb=b/1048576 | stats sum(mb) by h
But this is not giving me the same number at the indexing volume search
Anyone know how they calculate this number??
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group
field values
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group
field values
index="_internal" source="*metrics*" group=per_index_thruput NOT series="_*" | stats sum(kb) as KB_indexed by date_month ,date_mday,date_year,splunk_server | eventcount summarize=false report_size=true index=* | fields index count server size_bytes | sort - count
But this is the index size then to get proper license usage the following search would be best:
sum per day per pool for the previous days : index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool
detail per pool: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
detail per source type : index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
detail per host: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false
detail per indexer: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
Thanks for your help Marco and Ms Guinn
his search comes close
| eval MB=b/1024/1024 | timechart span=1d sum(MB) by h
I get 559.109342 with the search above and for the same time period I get 560.3007612295 when I use the indexing_volume view mentioned above
Can you try on your system to see if you can reconcile the difference???