All Apps and Add-ons

Wrong wording for splunk on splunk metrics reports ?

Contributor

In the splunk on splunk application, the second graph in the "metrics" view is called "Estimated indexing volume" but it also contains information generated after indexing raw events (like summarized data). Wouldn't "Estimated total volume" or "Estimated volume" be more appropriate ?

1 Solution

Splunk Employee
Splunk Employee

This panel represents an estimation of indexed volume over time, it is not restricted to the subset of that volume which counts against your daily license quota. This is why you will see data going to indexes such as _internal, _audit or summary indexes listed here.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

This panel represents an estimation of indexed volume over time, it is not restricted to the subset of that volume which counts against your daily license quota. This is why you will see data going to indexes such as _internal, _audit or summary indexes listed here.

View solution in original post

0 Karma

Contributor

Yes, I was talking about data in summary indexes. I check this report mainly for licensing and knowing how far I am from the license limit. But summary data is not counted against the license meter, so this graphs gave me a wrong perception.

0 Karma

Splunk Employee
Splunk Employee

What do you mean by "summarized data" exactly? This panel only shows indexing volume as the volume of raw data written to indexes and measured in metrics.log group=per*thruput. Even summary indexes fall under this category, as they are indexed search results.

0 Karma