https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424531#M121743 <P>Above query doesn't give the size of data searched per index, it just shares count on number time index used. </P> <P>Purpose is to validate, data stored vs data actually searched. This is to check abuse on capacity utilization. <BR /> Any other recommendation will be welcome!<BR /> Thanks </P> Fri, 25 Jan 2019 19:51:14 GMT ssagar1009 2019-01-25T19:51:14Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424529#M121741 <P>Is there a way I can see how much data is being searched per index?</P> <P>Eg: for an index, a user has searched 10 GB of data over the last 1 hour in across 15 search queries. </P> <P>An index has 100 GB of data, but the last 1-day user searched only 100 MB in the search result.</P> <P>or Index has 100 GB of data, but user searched too often and search a total of 120 GB of data. </P> Fri, 25 Jan 2019 00:21:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424529#M121741 ssagar1009 2019-01-25T00:21:42Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424530#M121742 <P>Please execute the following search sentence. Only inaccurate information on this level can be acquired.</P> <P>I do not know the purpose, but I recommend you to review alternative proposals.</P> <PRE><CODE>index=_audit action=search search=* sourcetype=audittrail | rex field=search "index\s*=\s*\"*(?&lt;IndexUsed&gt;[^\s\"]+)" | search IndexUsed=* | fillnull value="NA" IndexUsed | stats count by IndexUsed </CODE></PRE> Fri, 25 Jan 2019 01:09:37 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424530#M121742 HiroshiSatoh 2019-01-25T01:09:37Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424531#M121743 <P>Above query doesn't give the size of data searched per index, it just shares count on number time index used. </P> <P>Purpose is to validate, data stored vs data actually searched. This is to check abuse on capacity utilization. <BR /> Any other recommendation will be welcome!<BR /> Thanks </P> Fri, 25 Jan 2019 19:51:14 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424531#M121743 ssagar1009 2019-01-25T19:51:14Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424532#M121744 <P>I can tell you generally how to do this, but it seems crazy to me and there doesn't seem to be any useful reason to do this. You start by use a REST query to tell you what searches have run recently. Then you query the job details REST API to get access to the <CODE>search.log</CODE> for the job. In there it will tell you the <CODE>number of events scanned</CODE>. You can then get the <CODE>optimized search</CODE> from the same log and hopefully get a <CODE>sourcetype</CODE> from there. Then you can perform a search using <CODE>avg(len(_raw)</CODE> against that sourcetype and multiply this iw the <CODE>events scanned</CODE> number. That is probably the best that you can do it is making many assumptions and not going to be too accurate.</P> Fri, 25 Jan 2019 21:11:38 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-I-can-see-how-much-data-is-being-searched-per/m-p/424532#M121744 woodcock 2019-01-25T21:11:38Z