https://community.splunk.com/t5/Getting-Data-In/len-raw-vs-dbinspect-rawSize/m-p/408033#M94490 <P>I use a simple query to determine the amount of data I've sent to splunk:</P> <PRE><CODE>index=x |eval esize=len(_raw) |timechart sum(esize) span=1h </CODE></PRE> <P>This is pretty expensive when ran over long timeranges. I also tried this:</P> <PRE><CODE>|dbinspect index=x |eval date=strftime(startEpoch,"%F") |chart sum(rawSize) over date |rename sum(*) -&gt; * </CODE></PRE> <P>The results are different, dbinspect reporting lower values than len(_raw). </P> <P>Any ideas on a cheap way to get the right results?</P> Fri, 29 Jun 2018 12:20:27 GMT Hoekb03 2018-06-29T12:20:27Z https://community.splunk.com/t5/Getting-Data-In/len-raw-vs-dbinspect-rawSize/m-p/408033#M94490 <P>I use a simple query to determine the amount of data I've sent to splunk:</P> <PRE><CODE>index=x |eval esize=len(_raw) |timechart sum(esize) span=1h </CODE></PRE> <P>This is pretty expensive when ran over long timeranges. I also tried this:</P> <PRE><CODE>|dbinspect index=x |eval date=strftime(startEpoch,"%F") |chart sum(rawSize) over date |rename sum(*) -&gt; * </CODE></PRE> <P>The results are different, dbinspect reporting lower values than len(_raw). </P> <P>Any ideas on a cheap way to get the right results?</P> Fri, 29 Jun 2018 12:20:27 GMT https://community.splunk.com/t5/Getting-Data-In/len-raw-vs-dbinspect-rawSize/m-p/408033#M94490 Hoekb03 2018-06-29T12:20:27Z https://community.splunk.com/t5/Getting-Data-In/len-raw-vs-dbinspect-rawSize/m-p/408034#M94491 <P>I usually get that sort of info from the license usage events in _internal.</P> <P>Eg: </P> <PRE><CODE>index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d </CODE></PRE> Fri, 29 Jun 2018 14:19:30 GMT https://community.splunk.com/t5/Getting-Data-In/len-raw-vs-dbinspect-rawSize/m-p/408034#M94491 FrankVl 2018-06-29T14:19:30Z