How to determine the data volume associated to a g...

olopez77 · ‎03-19-2013

I have data comming into the corporate indexers from several business units (BU). Given a list of hosts owned by each BU, how do you determine how much data volume is associated to each BU?

vincesesto · ‎03-19-2013

Hey olopez77,

Have you checked out the Splunk License Usage app that is available:
http://splunk-base.splunk.com/apps/22382/splunk-license-usage

I think this should give you a good idea as to how you can set this up...One of the searches being performed on the dashboard does something like the following:

index="_internal" source="metrics.log" per_host_thruput | chart sum(kb) by series

So all you would really need to do is provide host details for each BU and you can get a total from that.

Hope that this helps, if not let me know and I would be happy to clarify.

Regards Vince

olopez77 · ‎03-20-2013

I'm not clear on how to "provide host details", I currently have over 22k hosts sending data. Each BU contributes data from several hundred hosts. The goal is to provide each BU a breakdown of how much volume each BU generates. I only have host lists (csv) to work from. Unfortunately, I have no mechanism in Splunk (i.e. tags, or dedicated indexes) that associate hosts to a BU.

How to determine the data volume associated to a group of hosts?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life