https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125145#M25815 <P>Hello,</P> <P>How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have a big spike in my index volume that threatens my license cap and I'm trying to find the best way to determine the cause of the spike. If I can create a chart that shows volume by sourcetype (over X hours) then I can identify the culprit and dig in from there.</P> <P>Or even better, is there a search that I can run that actually identifies the cause of the spike (not just the sourectype)?</P> <P>Thanks!</P> Mon, 15 Sep 2014 17:16:05 GMT echojacques 2014-09-15T17:16:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125145#M25815 <P>Hello,</P> <P>How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have a big spike in my index volume that threatens my license cap and I'm trying to find the best way to determine the cause of the spike. If I can create a chart that shows volume by sourcetype (over X hours) then I can identify the culprit and dig in from there.</P> <P>Or even better, is there a search that I can run that actually identifies the cause of the spike (not just the sourectype)?</P> <P>Thanks!</P> Mon, 15 Sep 2014 17:16:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125145#M25815 echojacques 2014-09-15T17:16:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125146#M25816 <P>Trust the license usage (not the metrics) form the license-master.</P> <P>Example for the size for yesterday</P> <PRE><CODE>earliest=-1d@d latest=@d index=_internal source=*license_usage.log* type=Usage | stats sum(b) AS Bytes by st | sort -Bytes </CODE></PRE> <P>see more here : <A href="http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume">http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume</A></P> Mon, 15 Sep 2014 17:50:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125146#M25816 ykherianDEPRECA 2014-09-15T17:50:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125147#M25817 <P>Thanks, the link ( <A href="http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume">http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume</A> ) is very helpful.</P> Mon, 15 Sep 2014 20:26:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-index-volume-by-sourcetype/m-p/125147#M25817 echojacques 2014-09-15T20:26:58Z