How to calculate volume of events across various i...

xbbj3nj · ‎04-10-2014

All I want to do is create a query that fetches the below result

Day Index-name Volume
4/1 abc 5GB
4/2 abc 8GB
4/3 abc 10GB
4/4 abc 15GB
4/5 abc 4GB
........

Can any one help on this regard ? Any help is much appreciated

martin_mueller · ‎04-10-2014

The SoS app should give you that out of the box, Indexing -> Indexing Performance -> split by index
http://apps.splunk.com/app/748/

martin_mueller · ‎04-10-2014

You may also want to take a look at http://host:8000/en-US/app/sos/license_usage_30days on your license master, that gives you a volume per day splittable by index.
Also available under http://host:8000/en-US/manager/search/licenseusage not requiring SoS.

martin_mueller · ‎04-10-2014

...app/sos/indexing_performance lets you pick any indexer and can split by index, .../app/sos/indexing_distributed lets you split by indexers but not by index... but this being Splunk, anything can be extended. Taking the queries from those two views, you could build this:

`set_internal_index` source=*metrics.log group=per_index_thruput [inputlookup splunk_servers_cache | search server_role!="search-head" | search server_role!="*forwarder*" | eval host=sos_server | fields host] | timechart minspan=30s per_second(kb) AS KBps by series useother=false limit=100

xbbj3nj · ‎04-10-2014

Thank you so much !! but what does the Total column indicate.. is it volume in GB ? and i have 2 indexers.. so can i get a one shot view of volume in gb by individual indexes.

How to calculate volume of events across various indexes ?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability