Re: How to calculate data ingestion from a specifi...

pm2012 · ‎12-04-2023

Hi SMEs,

Hope you are doing great, i am curious to know how to check the daily data consumption (GB/Day) from a specific Heavy Forwarder using Splunk search when there are multiple HFs are there in the deployment. thanks in advance

pm2012 · ‎12-04-2023

Thanks for the valueable query, few points here

1- I am unable to locate my HF under h field (search from IP as well as hostname)

2- How can i put restriction on day basis, like to create bar chart having license consumption during the week

3- I have another way to look into it as i mainly would like to calculate data ingestion where index name having common starting name like index="test*" and i found a field which is idx to query the same. However how to add all the data and show it in graph

4- Also i think this is license in GB , | eval licenseGB =round(license/1024/1024/1024,3). Why did you rename it to TB?

SanjayReddy · ‎12-04-2023

Hi @pm2012

you can use following query

index=_internal source="*license_usage.log" type=Usage h="<forwader name>"

| rename _time as Date

| eval Date=strftime(Date,"%b-%y")

| stats sum(b) as license by Date h

| eval licenseGB =round(license/1024/1024/1024,3)

| rename licenseGB as TB

andygerberkp

Don't you mean

| rename licenseGB as GB

How to calculate data ingestion from a specific Heavy Forwarder

heavy forwarder

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases