https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153574#M31211 <P>Thank you for your answer MuS.</P> <P>If we use the index=<EM>internal source=*license_usage.log type=Usage we also get the top 10 sources and not _all</EM> sources.</P> <P>We have not found the value allowing to log all sources in *metrics.log and had to set arbitrarily the parameter in limits.conf<BR /> [metrics]<BR /> maxseries = 100000</P> <P>Any help ?</P> <P>Thanks in advance</P> Mon, 28 Sep 2020 16:34:16 GMT laurent_ 2020-09-28T16:34:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153572#M31209 <P>On an 'All time' range, the two following searches provide different results. The first one gives the expected result (exhaustive) while the second one is incomplete.</P> <P><CODE>index="my_index" | stats values(source)</CODE></P> <P><CODE>index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | stats by series | fields series</CODE></P> <P>We are trying to get the indexing volume by source, according to <A href="http://answers.splunk.com/answers/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sourcetype">http://answers.splunk.com/answers/140/how-do-i-determine-my-indexing-volume-by-host-source-or-sourcetype</A></P> <P><CODE>index="_internal" source="*metrics.log" group="per_source_thruput" series="/path/to/raw/data/*" | chart sum(kb) by series | sort - sum(kb)</CODE></P> <P>But a lot of sources are missing, any idea ?</P> Tue, 06 May 2014 11:52:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153572#M31209 laurent_ 2014-05-06T11:52:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153573#M31210 <P>Hi laurent_,</P> <P>by default <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Troubleshooting/Aboutmetricslog"><CODE>metrics.log</CODE></A> only reports on the top 10 results for each type. <BR /> You can change this in metrics stanza of <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Limitsconf"><CODE>limits.conf</CODE></A> </P> <P>Update:</P> <P>here are some searches that does not use <CODE>metrics.log</CODE></P> <P>per source:</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false </CODE></PRE> <P>summary per day per pool for the previous days: </P> <PRE><CODE>index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool </CODE></PRE> <P>per pool: </P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool </CODE></PRE> <P>per sourcetype:</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false </CODE></PRE> <P>per host:</P> <PRE><CODE> index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false </CODE></PRE> <P>per indexer: </P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false </CODE></PRE> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 06 May 2014 12:01:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153573#M31210 MuS 2014-05-06T12:01:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153574#M31211 <P>Thank you for your answer MuS.</P> <P>If we use the index=<EM>internal source=*license_usage.log type=Usage we also get the top 10 sources and not _all</EM> sources.</P> <P>We have not found the value allowing to log all sources in *metrics.log and had to set arbitrarily the parameter in limits.conf<BR /> [metrics]<BR /> maxseries = 100000</P> <P>Any help ?</P> <P>Thanks in advance</P> Mon, 28 Sep 2020 16:34:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153574#M31211 laurent_ 2020-09-28T16:34:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153575#M31212 <P>according to the docs <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Troubleshooting/WhatSplunklogsaboutitself">http://docs.splunk.com/Documentation/Splunk/6.0.3/Troubleshooting/WhatSplunklogsaboutitself</A> license_usage.log contains all information, not only top 10.<BR /> limits.conf is the place for the change, like I told you. Did you restart Splunk afterwards? Also this will only be valid for new events.</P> Fri, 09 May 2014 09:44:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153575#M31212 MuS 2014-05-09T09:44:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153576#M31213 <P>please mark this as answered by ticking the tick - thx <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 09 May 2014 14:11:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-determine-the-indexing-volume-by-source/m-p/153576#M31213 MuS 2014-05-09T14:11:03Z