Total number if indexed volume for all hosts per d...

mike7860 · ‎11-02-2012

I would like to generate a report that'll list all the indexes and indexed volume usage for all the servers in my environment. When I am using the following expression, it is displaying incorrect info.
index=_internal group="per_index_thruput" | dedup series | table series kb | eval gb = round(kb/1024, 2) | fields - kb | rename gb as sum(GB) | addcoltotals

All the indexes are listed along with their usages, but the results do not tally with the results obtained from clicking Status -> Index activity -> Index volume. I do not want to use the results from the status tab as I am unable to do modifications like changing the usage into MB and adding totals of indexed volume usage.

pshumate · ‎11-02-2012

Quick visualization of the ingest:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" | timechart per_second(kb) as " kbps" by series

and a answer to the question:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" 

| eval rmb = round(kb/1024, 2) 

| eval rgb = round(rmb/1024, 2)

| eval mb = kb/1024

| eval gb = (kb/1024)/1024

| stats  sum(kb) as "Total KB", sum(rmb) AS "Rounded MB", sum(rgb) AS "Rounded GB", sum(mb) as "Total MB", sum(gb) AS "Total GB" by series

Total number if indexed volume for all hosts per day

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases