Solved: Re: How to get a search to show indexed data by in...

dolfantimmy · ‎11-12-2014

I realize this is yet another newbie question, but I need a search to show me indexed data, by index, per day. Does this exist in SOS or elsewhere? Ideas?

aljohnson_splun · ‎11-12-2014

This is in SOS.

Just click on view results on the bottom to get into the data itself.

View solution in original post

aljohnson_splun · ‎11-12-2014

This is in SOS.

Just click on view results on the bottom to get into the data itself.

dolfantimmy · ‎11-12-2014

I think that will do it! Thanks

mendesjo · ‎02-16-2016

Only shows top 10, how do you get all of them?

pgreer_splunk · ‎02-16-2016

The search that is run behind the scenes in S.O.S. is essentially:

 index=_internal host="*" source=*metrics.log group="per_index_thruput"
            | bin _time 
            | stats sum(kb) AS KB by series,_time
            | timechart minspan=30s  sum(eval(round(KB/1024/1024,2))) by series

Does that give you what you need? - assuming the time span is selected for what you're looking for (aka yesterday, last week, etc.)

mendesjo · ‎02-16-2016

Hi yes, when I click on "open in search" that's the query, but where in that query are they speciifying only to return top 10? How do I modify that query to include all of indexes, or if I wanted to filter for a particuliar index? Thanks in advance.

mendesjo · ‎02-24-2016

Anyone? How do you show more than the 10 indexes?

mendesjo · ‎02-02-2016

Excellent!

How to get a search to show indexed data by index per day?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases