Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out the total events by count and size from Splunk search?

splunkrocks2014
Communicator
‎09-08-2017 08:59 AM

How can I get the report of total events (licensing) by count and size (GB) from Splunk search from the past 7 days? How to get the total spaces from hot or cold buckets from all indexers? Thanks.

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎09-09-2017 08:30 AM

There are many apps for this, not the least of which is your Monitoring Console. Try these:
Meta woot!: https://splunkbase.splunk.com/app/2949/
Fire Brigade: https://splunkbase.splunk.com/app/1632/
Visualization for Clustered Buckets: https://splunkbase.splunk.com/app/3193/
Many More: https://splunkbase.splunk.com/apps/#/search/license/

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2017 11:04 AM

For the first one, take a look here for some inspiration (modify to meet your needs).

For the second one, take a look at the dbinspect command.

0 Karma
Reply

splunkrocks2014
Communicator
‎09-08-2017 11:58 AM

Hi ssievert, thank you for your information.
For the first question, we are using the license master which contains all the license shared with different teams, and it is very difficult to split out. I could get the the event per day by using "licensing_epd", but this macro doesn't include the size of the events. I tried to use "index=_introspection component=Indexes" to get the size, but the numbers of events vs size of the events per day are not really matched based on the ratio.
Do you know if there are another alternate solution?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2017 02:10 PM

The size of individual events is not recorded/indexed along with the events, so if you need it, you'll have to run a search that calculates it using an eval size=len(_raw). As you can imagine, that will be a pretty expensive search to run to get an exact result. Depending on your daily ingest, you may not want to run that over 7 days, but instead schedule it nightly and write aggregate results to a summary index, which you can then use in your weekly report.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...