All Apps and Add-ons
Highlighted

How to get a search to show indexed data by index per day?

Path Finder

I realize this is yet another newbie question, but I need a search to show me indexed data, by index, per day. Does this exist in SOS or elsewhere? Ideas?

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Splunk Employee
Splunk Employee

This is in SOS.

alt text

Just click on view results on the bottom to get into the data itself.

View solution in original post

Highlighted

Re: How to get a search to show indexed data by index per day?

Path Finder

I think that will do it! Thanks

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Explorer

Excellent!

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Explorer

Only shows top 10, how do you get all of them?

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Splunk Employee
Splunk Employee

The search that is run behind the scenes in S.O.S. is essentially:

 index=_internal host="*" source=*metrics.log group="per_index_thruput"
            | bin _time 
            | stats sum(kb) AS KB by series,_time
            | timechart minspan=30s  sum(eval(round(KB/1024/1024,2))) by series

Does that give you what you need? - assuming the time span is selected for what you're looking for (aka yesterday, last week, etc.)

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Explorer

Hi yes, when I click on "open in search" that's the query, but where in that query are they speciifying only to return top 10? How do I modify that query to include all of indexes, or if I wanted to filter for a particuliar index? Thanks in advance.

0 Karma
Highlighted

Re: How to get a search to show indexed data by index per day?

Explorer

Anyone? How do you show more than the 10 indexes?

0 Karma