All Apps and Add-ons

How to get a search to show indexed data by index per day?

dolfantimmy
Path Finder

I realize this is yet another newbie question, but I need a search to show me indexed data, by index, per day. Does this exist in SOS or elsewhere? Ideas?

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

This is in SOS.

alt text

Just click on view results on the bottom to get into the data itself.

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

This is in SOS.

alt text

Just click on view results on the bottom to get into the data itself.

dolfantimmy
Path Finder

I think that will do it! Thanks

0 Karma

mendesjo
Path Finder

Only shows top 10, how do you get all of them?

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

The search that is run behind the scenes in S.O.S. is essentially:

 index=_internal host="*" source=*metrics.log group="per_index_thruput"
            | bin _time 
            | stats sum(kb) AS KB by series,_time
            | timechart minspan=30s  sum(eval(round(KB/1024/1024,2))) by series

Does that give you what you need? - assuming the time span is selected for what you're looking for (aka yesterday, last week, etc.)

0 Karma

mendesjo
Path Finder

Hi yes, when I click on "open in search" that's the query, but where in that query are they speciifying only to return top 10? How do I modify that query to include all of indexes, or if I wanted to filter for a particuliar index? Thanks in advance.

0 Karma

mendesjo
Path Finder

Anyone? How do you show more than the 10 indexes?

0 Karma

mendesjo
Path Finder

Excellent!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...