All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find size of logs during ingestion, on disk, and the size of the index?

allan_newton
Path Finder
‎09-15-2015 11:08 PM

Hi,

I'm using Splunk on Splunk (sos) app to know the size of the disk usage, and index size. Index usage is more than 5 GB per day, but the size of the index on disk is only few hundred mb.

What is the size of logs during ingestion?
What is the size of logs on the disk?
What is the size of the index?

Thanks in advance.

0 Karma
Reply

lguinn2
Legend
‎09-16-2015 12:15 AM

You can find most of this information in the Splunk internal index _internal. Also, you might consider using the Distributed Management Console instead of the SOS App, as it has more information of this sort. Plus, the DMC is free to use, while the SOS App actually uses some of your Splunk license. Finally, the DMC will let you set alerts about resource consumption in your environment... but I digress.

The size of the logs on the disk is not something that Splunk will track, as the original logs may be on a forwarder. However, Splunk does track the inbound raw size of the data, which should probably correspond pretty closely.

A useful command is dbinspect, which can slice and dice information about your indexes in a variety of ways. For example, the following command (yes, it starts with a pipe), will give you the disk space consumed by all your indexes, divided into hot/warm vs. cold.

| dbinspect index=_* 
| eval state=if(state=="hot" OR state=="warm","hot/warm",state)
| stats sum(rawSize) as rawSizeTotal sum(sizeOnDiskMB) as diskused by splunk_server index state
| eval "Raw Size MB"=round(rawSizeTotal/1024/1024,3) | eval "Disk Used MB"=round(diskused,3)
| fields - rawSizeTotal diskused
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...