On an 'All time' range, the two following searches provide different results. The first one gives the expected result (exhaustive) while the second one is incomplete.
index="my_index" | stats values(source)
index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | stats by series | fields series
We are trying to get the indexing volume by source, according to http://answers.splunk.com/answers/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sourcetype
index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | chart sum(kb) by series | sort - sum(kb)
But a lot of sources are missing, any idea ?
... View more