https://community.splunk.com/t5/Getting-Data-In/How-to-get-volume-by-indexer/m-p/412091#M72942 <P>all, </P> <P>Is there a better way to get data by indexer than this search from the search head without access to the internal indexes/</P> <PRE><CODE>index=* | fields _raw, volume, splunk_server | eval volume=len(_raw) | stats sum(volume) by splunk_server </CODE></PRE> Sat, 18 Aug 2018 00:14:29 GMT daniel333 2018-08-18T00:14:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-volume-by-indexer/m-p/412091#M72942 <P>all, </P> <P>Is there a better way to get data by indexer than this search from the search head without access to the internal indexes/</P> <PRE><CODE>index=* | fields _raw, volume, splunk_server | eval volume=len(_raw) | stats sum(volume) by splunk_server </CODE></PRE> Sat, 18 Aug 2018 00:14:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-volume-by-indexer/m-p/412091#M72942 daniel333 2018-08-18T00:14:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-volume-by-indexer/m-p/412092#M72943 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/19813">@daniel333</a> </P> <P>unfortunately I don't think it is possible to get a exact understanding how much data is on your actual indexers if you don't have access to the _internal index.</P> <P>However... I tried to come up with a rough estimate on how it could be done with your solution.</P> <PRE><CODE>index=* | fields _raw, volume, splunk_server | eval volume=len(_raw) | stats sum(volume) AS volume by splunk_server | eval total_size_in_GB=round((volume*8/(1024*1024*1024)),4), total_size_on_disk_in_GB=round(total_size_in_GB*0.5,4) </CODE></PRE> <P>I added a <STRONG>total_size_in_GB</STRONG> field by multiplying the "volume" by 8 (Bit). For a lot of the standard characters you will need 8 Bit or 1 Byte to store it in memory. (If you have a lot of Chinese sign language in there this is a whole other story.)</P> <P>Then I basically divide it by 1024^3 which gives me the size in GB.</P> <P>I also added the <STRONG>total_size_on_disk_in_GB</STRONG> field that multiplies the <STRONG>total_size_in_GB</STRONG> field by 0.5<BR /> <EM>Why 0.5 you might ask?</EM><BR /> There is a sizing calculator out there which uses a default value of (Raw Compression Factor (0.15) + Metadata Size Factor (0.35)) = 0.15 + 0.35 = 0.5</P> <P><A href="https://splunk-sizing.appspot.com/" target="_blank">https://splunk-sizing.appspot.com/</A></P> <P>So the actual size of the data on your disk is the originally calculated size multiplied by 0.5.</P> <P>Another approach is you can do a <BR /> <CODE>| tstats count WHERE index=*</CODE> (last 24 hours)<BR /> counting the amount of events on your system. </P> <P>The Splunk Sizing Calculator has an option to get you a estimate on the amount of storage you need for your indexers to store all your data. There is also an option to input a "count of events per second".</P> <P><A href="https://splunk-sizing.appspot.com/#st=eps" target="_blank">https://splunk-sizing.appspot.com/#st=eps</A></P> <PRE><CODE>| tstats count WHERE index=* | eval events_per_second=count/(3600*24) </CODE></PRE> <P>You are then able to input the <STRONG>events_per_second</STRONG> value into the sizing calculator and calculate the size of your data that goes in and out per day. </P> <P>With that information you are easily able to calculate the total size of your data. (Still... this is only a rough estimate, keep that in mind)</P> Tue, 29 Sep 2020 20:56:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-volume-by-indexer/m-p/412092#M72943 horsefez 2020-09-29T20:56:17Z