Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out the total events by count and size from Splunk search?

splunkrocks2014
Communicator
‎09-08-2017 08:59 AM

How can I get the report of total events (licensing) by count and size (GB) from Splunk search from the past 7 days? How to get the total spaces from hot or cold buckets from all indexers? Thanks.

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎09-09-2017 08:30 AM

There are many apps for this, not the least of which is your Monitoring Console. Try these:
Meta woot!: https://splunkbase.splunk.com/app/2949/
Fire Brigade: https://splunkbase.splunk.com/app/1632/
Visualization for Clustered Buckets: https://splunkbase.splunk.com/app/3193/
Many More: https://splunkbase.splunk.com/apps/#/search/license/

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2017 11:04 AM

For the first one, take a look here for some inspiration (modify to meet your needs).

For the second one, take a look at the dbinspect command.

0 Karma
Reply

splunkrocks2014
Communicator
‎09-08-2017 11:58 AM

Hi ssievert, thank you for your information.
For the first question, we are using the license master which contains all the license shared with different teams, and it is very difficult to split out. I could get the the event per day by using "licensing_epd", but this macro doesn't include the size of the events. I tried to use "index=_introspection component=Indexes" to get the size, but the numbers of events vs size of the events per day are not really matched based on the ratio.
Do you know if there are another alternate solution?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2017 02:10 PM

The size of individual events is not recorded/indexed along with the events, so if you need it, you'll have to run a search that calculates it using an eval size=len(_raw). As you can imagine, that will be a pretty expensive search to run to get an exact result. Depending on your daily ingest, you may not want to run that over 7 days, but instead schedule it nightly and write aggregate results to a summary index, which you can then use in your weekly report.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...