Getting Data In

Is there a way to monitor the size of the files uploaded in Splunk?

clementros
Path Finder

Hi all,

Is there a way to monitor the size of log files that i upload on Splunk ?

0 Karma
1 Solution

FrankVl
Ultra Champion

I don't think Splunk explicitely logs the size of the files that are ingested, but if those files have unique names and those names are captured in the source field (which is the case by default for file monitor inputs), you could check the license usage by source. That should give a pretty good indication of the file size.

index="_internal" source="*license_usage.log" type=Usage
| stats sum(b) AS bytes by s

To narrow down the results, you could add some filtering for the source (s) field (e.g.s="*.log") in the first line depending on the patter of log file names for which you want to check the size.

View solution in original post

FrankVl
Ultra Champion

I don't think Splunk explicitely logs the size of the files that are ingested, but if those files have unique names and those names are captured in the source field (which is the case by default for file monitor inputs), you could check the license usage by source. That should give a pretty good indication of the file size.

index="_internal" source="*license_usage.log" type=Usage
| stats sum(b) AS bytes by s

To narrow down the results, you could add some filtering for the source (s) field (e.g.s="*.log") in the first line depending on the patter of log file names for which you want to check the size.

lakshman239
SplunkTrust
SplunkTrust

Yes, you can use the license usage search to know the size.

index=_internal source=*license_usage.log type=Usage idx= st= | eval GB=b/1024/1024/1024 | timechart sum(GB) by idx

You can change idx (index) and st to match the ones which you used.

0 Karma

whrg
Motivator

Hello @clementros,

I use the following search to list all sources and their corresponding license usage:

index=_internal source="*license_usage.log" type=usage | eval MB = b/1048576 | chart sum(MB) as sum_MB by s | eval sum_MB=round(sum_MB,0) | rename s as source | sort source

Set the search time picker accordingly.

It is also possible list license usage for all sourcetypes, all hosts and all indexes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...