topic Re: Index volume by host in Getting Data In

Index volume by host

jkeRE — Tue, 11 Dec 2012 13:27:33 GMT

Hello,
i am searching for a CLI Search Command which gives me the result of the daily Indexed volume per Host.

Which is the same as i do it via the GUI / Browser -->
Splunk --> Status --> Index activity --> Indexing Volume --> Split by Host / Yesterday

THX J.

Re: Index volume by host

bosburn_splunk — Tue, 11 Dec 2012 14:32:29 GMT

You can find several different queries here - http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Brian

Re: Index volume by host

jtrucks — Mon, 28 Sep 2020 12:56:51 GMT

I run this across the last two weeks and look at it fairly often:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false | reverse

You could adapt that for host use instead of source fairly easily...

Re: Index volume by host

jkeRE — Tue, 11 Dec 2012 14:58:11 GMT

THX, i have already read this, but didn't find a solution.

I use this CLI -->

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false" -auth test:test123

My Problem is that - the output only has the first 10 Hosts --> (limits.conf --> maxseries = 200 ) - and the output is very long. i want to limit to the last day.

Have you a solution?

Re: Index volume by host

jspears — Tue, 11 Dec 2012 15:09:09 GMT

For "yesterday" you would include

earliest=-1d@d latest=@d

in your search before the first pipe.

Then I would use stats instead of timechart to give data for every host in a table format:

  | stats sum(GB) by h

Re: Index volume by host

jtrucks — Tue, 11 Dec 2012 15:10:31 GMT

You can use time modifiers (it defaults to all time):

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

so preface your search with: earliest=-1d@d latest=-0d@d

That will go midnight to midnight for yesterday, for example.

Also, add: limit=0

To get all hosts (or limit=100 or whatever).

Re: Index volume by host

jkeRE — Mon, 28 Sep 2020 12:56:56 GMT

Hello,

what is wrong:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage | earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Unknown search command 'earliest'.

Re: Index volume by host

jspears — Tue, 11 Dec 2012 15:52:29 GMT

earliest and latest, if used, must be placed before the first pipe.

Re: Index volume by host

jtrucks — Mon, 28 Sep 2020 12:56:59 GMT

earliest is a search parameter, so you want to do this:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Re: Index volume by host

jkeRE — Wed, 12 Dec 2012 06:56:17 GMT

Thanx,
this work !!

And what have i apend that the result is sort by most volume first?

Re: Index volume by host

jkeRE — Mon, 28 Sep 2020 12:57:13 GMT

I found it!!!

Thank you very much.

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse" -auth test:test123

Re: Index volume by host

wagnerbianchi — Wed, 12 Dec 2012 10:46:04 GMT

Use

| sort -host

See more clicking on http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/sort