https://community.splunk.com/t5/Monitoring-Splunk/data-ingestion/m-p/700891#M10454 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272456">@sverdhan</a>&nbsp;,</P><P>Go in [Settings &gt; Licensing &gt; License Usage &gt; Previous 60 days &gt; Split by Sourcetype] and you'll have your search that will be:</P><LI-CODE lang="markup">index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | fields - _timediff | foreach * [eval &lt;&lt;FIELD&gt;&gt;=round('&lt;&lt;FIELD&gt;&gt;'/1024/1024/1024, 3)]</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 03 Oct 2024 14:16:34 GMT gcusello 2024-10-03T14:16:34Z https://community.splunk.com/t5/Monitoring-Splunk/data-ingestion/m-p/700873#M10453 <P>Hello everyone,</P> <P>&nbsp;</P> <P>I have created a query that list sourectypes :&nbsp;</P> <LI-CODE lang="markup">index=_audit action=search info=granted source="*metrics.log" group="per_sourcetype_thruput" | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | chart sum(kb) by series | sort - sum(kb) | search hasBeenSearched="0" | search NOT[inputlookup sourcetypes_1.csv | fields sourcetype]</LI-CODE> <P>I would want to modify this query such that it also enlists the volume&nbsp; ingestion&nbsp; of these sourcetypes as well...Kindly suggest</P> Thu, 03 Oct 2024 19:43:40 GMT https://community.splunk.com/t5/Monitoring-Splunk/data-ingestion/m-p/700873#M10453 sverdhan 2024-10-03T19:43:40Z https://community.splunk.com/t5/Monitoring-Splunk/data-ingestion/m-p/700891#M10454 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272456">@sverdhan</a>&nbsp;,</P><P>Go in [Settings &gt; Licensing &gt; License Usage &gt; Previous 60 days &gt; Split by Sourcetype] and you'll have your search that will be:</P><LI-CODE lang="markup">index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | fields - _timediff | foreach * [eval &lt;&lt;FIELD&gt;&gt;=round('&lt;&lt;FIELD&gt;&gt;'/1024/1024/1024, 3)]</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 03 Oct 2024 14:16:34 GMT https://community.splunk.com/t5/Monitoring-Splunk/data-ingestion/m-p/700891#M10454 gcusello 2024-10-03T14:16:34Z