All Apps and Add-ons

How to find size of logs during ingestion, on disk, and the size of the index?

allan_newton
Path Finder

Hi,

I'm using Splunk on Splunk (sos) app to know the size of the disk usage, and index size. Index usage is more than 5 GB per day, but the size of the index on disk is only few hundred mb.

What is the size of logs during ingestion?
What is the size of logs on the disk?
What is the size of the index?

Thanks in advance.

0 Karma

lguinn2
Legend

You can find most of this information in the Splunk internal index _internal. Also, you might consider using the Distributed Management Console instead of the SOS App, as it has more information of this sort. Plus, the DMC is free to use, while the SOS App actually uses some of your Splunk license. Finally, the DMC will let you set alerts about resource consumption in your environment... but I digress.

The size of the logs on the disk is not something that Splunk will track, as the original logs may be on a forwarder. However, Splunk does track the inbound raw size of the data, which should probably correspond pretty closely.

A useful command is dbinspect, which can slice and dice information about your indexes in a variety of ways. For example, the following command (yes, it starts with a pipe), will give you the disk space consumed by all your indexes, divided into hot/warm vs. cold.

| dbinspect index=_* 
| eval state=if(state=="hot" OR state=="warm","hot/warm",state)
| stats sum(rawSize) as rawSizeTotal sum(sizeOnDiskMB) as diskused by splunk_server index state
| eval "Raw Size MB"=round(rawSizeTotal/1024/1024,3) | eval "Disk Used MB"=round(diskused,3)
| fields - rawSizeTotal diskused
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...