How to find size of logs during ingestion, on disk...

allan_newton · ‎09-15-2015

Hi,

I'm using Splunk on Splunk (sos) app to know the size of the disk usage, and index size. Index usage is more than 5 GB per day, but the size of the index on disk is only few hundred mb.

What is the size of logs during ingestion?
What is the size of logs on the disk?
What is the size of the index?

Thanks in advance.

lguinn2 · ‎09-16-2015

You can find most of this information in the Splunk internal index _internal. Also, you might consider using the Distributed Management Console instead of the SOS App, as it has more information of this sort. Plus, the DMC is free to use, while the SOS App actually uses some of your Splunk license. Finally, the DMC will let you set alerts about resource consumption in your environment... but I digress.

The size of the logs on the disk is not something that Splunk will track, as the original logs may be on a forwarder. However, Splunk does track the inbound raw size of the data, which should probably correspond pretty closely.

A useful command is dbinspect, which can slice and dice information about your indexes in a variety of ways. For example, the following command (yes, it starts with a pipe), will give you the disk space consumed by all your indexes, divided into hot/warm vs. cold.

| dbinspect index=_* 
| eval state=if(state=="hot" OR state=="warm","hot/warm",state)
| stats sum(rawSize) as rawSizeTotal sum(sizeOnDiskMB) as diskused by splunk_server index state
| eval "Raw Size MB"=round(rawSizeTotal/1024/1024,3) | eval "Disk Used MB"=round(diskused,3)
| fields - rawSizeTotal diskused

How to find size of logs during ingestion, on disk, and the size of the index?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability