https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15837#M1826 <P>I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.</P> Wed, 23 Jun 2010 22:11:50 GMT Simeon 2010-06-23T22:11:50Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15834#M1823 <P>Hi,</P> <P>Currently I have a splunk server receiving logs from few servers.</P> <P>I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.</P> <P>This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)</P> <P>Thanks</P> Mon, 21 Jun 2010 15:18:01 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15834#M1823 apro 2010-06-21T15:18:01Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15835#M1824 <P>You simply need to use the addtotals command:</P> <P>index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals </P> Mon, 21 Jun 2010 23:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15835#M1824 Simeon 2010-06-21T23:45:54Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15836#M1825 <P>Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?</P> Wed, 23 Jun 2010 17:10:46 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15836#M1825 apro 2010-06-23T17:10:46Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15837#M1826 <P>I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.</P> Wed, 23 Jun 2010 22:11:50 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15837#M1826 Simeon 2010-06-23T22:11:50Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15838#M1827 <P>Hi, have created new question here -&gt;</P> <P><A href="http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume">http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume</A></P> <P>thanks.</P> Thu, 24 Jun 2010 13:01:44 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15838#M1827 apro 2010-06-24T13:01:44Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15839#M1828 <P>Some updates,</P> <P>I am scheduling this search(Daily Indexed Volume) now:</P> <P>index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)</P> <P>but it seems to be generating the following errors:</P> <P>in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '&gt;' is invalid.</P> <P>in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '&gt;' is invalid.</P> <P>Any idea??</P> Fri, 25 Jun 2010 13:18:25 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15839#M1828 apro 2010-06-25T13:18:25Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15840#M1829 <P>Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.</P> Mon, 11 Feb 2013 16:47:25 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15840#M1829 sloshburch 2013-02-11T16:47:25Z https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15841#M1830 <P>another query posted and another that doesnt work.. for me anyway.</P> Wed, 24 Feb 2016 23:46:48 GMT https://community.splunk.com/t5/Getting-Data-In/Total-number-of-indexed-volume-per-day/m-p/15841#M1830 mendesjo 2016-02-24T23:46:48Z