Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Determine how much data is being stored daily vs how much is aging out?

mmcarty
New Member
‎04-04-2018 09:46 AM

Hello community,

First of all, thank you very much for your time for reading my following question,
I am a Splunk newbie, an instruction has been given to us to, "Determine how much data is being stored daily vs how much is aging out"

  • We have a clustered Indexers environment.
  • we’re approaching our disk capacity

We are aging out data reaching its retention period so while we’re indexing new data, we are throwing away old but since we have added expanded datasources over the last year, we are most likely ingesting more than we’re aging out.

my question is:
How to determine how much data is being stored daily vs how much is aging out?
This should give us an idea of how much runway we have.

Thank you very much!

Tags (3)
0 Karma
Reply

adonio
Ultra Champion
‎04-05-2018 07:50 AM

hello there,

to check how much data is being committed to disk daily, use the time picker and search the following:

| dbinspect index=*
| stats sum(sizeOnDiskMB) as daily_mb_to_disk

if you dont roll to frozen, it can be a little tricky to track the sum of data in buckets that are rolling out.
you can try and calculate your disk size at the beginning of a day and at the end of a day and use the total size you discovered earlier to see how much data rolled out:
example: total disk size at 4/4 00:00:00 is 500GB total data used at that time is 400GB
total data committed on 4/4 is 50GB.
when checking the total disk at 4/5 00:00:00 is 425 -> you rolled out 25GB

hope it helps

p.s. try and look for the Fire Brigade app, it might have better insights, also, try and use data in the _introspection index.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...