How can I get the report of total events (licensing) by count and size (GB) from Splunk search from the past 7 days? How to get the total spaces from hot or cold buckets from all indexers? Thanks.
There are many apps for this, not the least of which is your Monitoring Console. Try these:
Meta woot!: https://splunkbase.splunk.com/app/2949/
Fire Brigade: https://splunkbase.splunk.com/app/1632/
Visualization for Clustered Buckets: https://splunkbase.splunk.com/app/3193/
Many More: https://splunkbase.splunk.com/apps/#/search/license/
Hi ssievert, thank you for your information.
For the first question, we are using the license master which contains all the license shared with different teams, and it is very difficult to split out. I could get the the event per day by using "licensing_epd", but this macro doesn't include the size of the events. I tried to use "index=_introspection component=Indexes" to get the size, but the numbers of events vs size of the events per day are not really matched based on the ratio.
Do you know if there are another alternate solution?
The size of individual events is not recorded/indexed along with the events, so if you need it, you'll have to run a search that calculates it using an eval size=len(_raw)
. As you can imagine, that will be a pretty expensive search to run to get an exact result. Depending on your daily ingest, you may not want to run that over 7 days, but instead schedule it nightly and write aggregate results to a summary index, which you can then use in your weekly report.