topic Re: Daily Ingest per index for last 7 days in Monitoring Splunk

Daily Ingest per index for last 7 days

Splunkerninja — Wed, 24 Apr 2024 08:28:56 GMT

Hi , I came across many queries to calculate daily ingest per index for last 7 days but I am not getting the expected results.

Can you please guide me with the query to calculate the daily ingest per index in GB for last 7 days?

Re: Daily Ingest per index for last 7 days

bowesmana — Wed, 24 Apr 2024 09:18:54 GMT

so what did you try and what gave you the wrong results

This is the basic search

index=_internal source=/opt/splunk/var/log/splunk/license_usage.log idx=* st=* | stats sum(b) as bytes by idx | eval gb=round(bytes/1024/1024/1024,3)

Run that over the time range you want

Re: Daily Ingest per index for last 7 days

gcusello — Wed, 24 Apr 2024 09:21:43 GMT

Hi @Splunkerninja,

do you want to calcuate the icense consuption or the number of events per index and per day?

In the first case see at [Settings > License > License Consuption past 60 days > by Index], or run this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

In the second case, you could try something ike this:

index=* | bin span=1d _time | chart count OVER index BY _time

Ciao.

Giuseppe

Re: Daily Ingest per index for last 7 days

Splunkerninja — Wed, 24 Apr 2024 09:45:46 GMT

The first query is not giving me any results. Even i replaced the macro with actualy query it gives zero result.

I basically want the total of daily ingest of each index over 7 days

index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [ search index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <>=round('<>'/1024/1024/1024, 3)]

Re: Daily Ingest per index for last 7 days

gcusello — Wed, 24 Apr 2024 09:59:40 GMT

Hi @Splunkerninja ,

does the search in [Settings > License > License Consuption > last 60 days > divided by index] run?

I only copied this search.

Ciao.

Giuseppe

Re: Daily Ingest per index for last 7 days

Splunkerninja — Wed, 24 Apr 2024 11:26:18 GMT

@gcusello @bowesmana We are on splunk cloud and we use workload based management for licenseing i.e SVC . So the query which you are giving is not giving aggregate daily ingest per index for last 7 days

Re: Daily Ingest per index for last 7 days

scelikok — Wed, 24 Apr 2024 12:11:47 GMT

Hi @Splunkerninja,

You can use below query;

index=_internal source=*license_usage.log* type="Usage" | timechart span=1d eval(round(sum(b)/1024/1024/1024,3)) as GB by idx