- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to determine the indexing volume by source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to determine the indexing volume by source
On an 'All time' range, the two following searches provide different results. The first one gives the expected result (exhaustive) while the second one is incomplete.
index="my_index" | stats values(source)
index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | stats by series | fields series
We are trying to get the indexing volume by source, according to http://answers.splunk.com/answers/140/how-do-i-determine-my-indexing-volume-by-host-source-or-source...
index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | chart sum(kb) by series | sort - sum(kb)
But a lot of sources are missing, any idea ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi laurent_,
by default metrics.log only reports on the top 10 results for each type.
You can change this in metrics stanza of limits.conf
Update:
here are some searches that does not use metrics.log
per source:
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false
summary per day per pool for the previous days:
index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool
per pool:
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
per sourcetype:
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
per host:
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false
per indexer:
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please mark this as answered by ticking the tick - thx 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
according to the docs http://docs.splunk.com/Documentation/Splunk/6.0.3/Troubleshooting/WhatSplunklogsaboutitself license_usage.log contains all information, not only top 10.
limits.conf is the place for the change, like I told you. Did you restart Splunk afterwards? Also this will only be valid for new events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer MuS.
If we use the index=internal source=*license_usage.log type=Usage we also get the top 10 sources and not _all sources.
We have not found the value allowing to log all sources in *metrics.log and had to set arbitrarily the parameter in limits.conf
[metrics]
maxseries = 100000
Any help ?
Thanks in advance
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
