Solved: How much are we indexing per index

bohrasaurabh · ‎02-03-2014

How can I query how much data are we indexing per index for last 7 days. We are on Splunk 6.0.1

somesoni2 · ‎02-04-2014

Try this

index=_internal source=*metrics.log group=per_index_thruput series!="_*"  | bucket span=1d _time  | eval totalMB = round(kb/1024,4) | eval Date=strftime(_time,"%Y-%m-%d") | chart sum(totalMB) over series by Date

View solution in original post

somesoni2 · ‎02-04-2014

Try this

index=_internal source=*metrics.log group=per_index_thruput series!="_*"  | bucket span=1d _time  | eval totalMB = round(kb/1024,4) | eval Date=strftime(_time,"%Y-%m-%d") | chart sum(totalMB) over series by Date

lukejadamec · ‎02-03-2014

You can something try this:

index=_internal source=*metrics.log group=per_index_thruput series!="_*" | eval totalGB = (kb/1024)/1024 | timechart span=7d sum(totalGB)

bohrasaurabh · ‎02-04-2014

I am looking for a query which can output index and its usage. Something like below
name day1 day2 day3 day4 day5 day6 day7
index_a 1.2 1.3 1.5 1.1 1.7 0.9 1.1
index_b 3.2 3.2 3.5 3.7 4.0 3.2 3.2

How much are we indexing per index

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...