Total number if indexed volume for all hosts per d...

mike7860 · ‎11-02-2012

I would like to generate a report that'll list all the indexes and indexed volume usage for all the servers in my environment. When I am using the following expression, it is displaying incorrect info.
index=_internal group="per_index_thruput" | dedup series | table series kb | eval gb = round(kb/1024, 2) | fields - kb | rename gb as sum(GB) | addcoltotals

All the indexes are listed along with their usages, but the results do not tally with the results obtained from clicking Status -> Index activity -> Index volume. I do not want to use the results from the status tab as I am unable to do modifications like changing the usage into MB and adding totals of indexed volume usage.

pshumate · ‎11-02-2012

Quick visualization of the ingest:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" | timechart per_second(kb) as " kbps" by series

and a answer to the question:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" 

| eval rmb = round(kb/1024, 2) 

| eval rgb = round(rmb/1024, 2)

| eval mb = kb/1024

| eval gb = (kb/1024)/1024

| stats  sum(kb) as "Total KB", sum(rmb) AS "Rounded MB", sum(rgb) AS "Rounded GB", sum(mb) as "Total MB", sum(gb) AS "Total GB" by series

Total number if indexed volume for all hosts per day

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!