Archive

How to get usage of a particular index or query usage?

Path Finder

Hey all,
was wondering if there is way to find out usage of perticular index I have a query which gives some numbers i belive it is in kb's so i devided with 1048576 to get in GB's.
but is there any other ways to get more accurate data or some other ways so we can keep eyes on index=test usage data by user or by day something like that.

index=test | eval length = length(_raw)/ 1048576  | timechart span=1d sum(length) as Length

I have also been trying with below query but there is no data I get.

index=test source=*license_usage.log* type=Usage 

thanks

0 Karma

Path Finder

You can navigate to the Monitoring Console and view indexes with amount of data over time. It uses "index=_internal source=license_usage.log type=Usage" by default.

If you're searching "index=test source=license_usage.log type=Usage" then you will not be able to find license_usage.log because they are in index=_internal.

0 Karma

Path Finder

I was looking to find out details for index=test

how much data is written on index ?
how often index=test is used in search queries?

0 Karma

Path Finder

any suggestions

0 Karma

Path Finder

For how much data is written on index, you could view it through the gui by going to Settings > Indexes and viewing the summary of the index. If you need more granular let me know but I don't have access to verify searches right now.

This link provides a search which uses the _audit index to view what users are doing. Again, I can't verify right now but if you follow the advice you should be able to get retrieve all the events which include search queries. You would then need to search for "index=test" within those results and do a stats count. Please take a look and report back.

https://answers.splunk.com/answers/149332/how-to-view-the-list-of-search-queries-run-for-a-given-tim...

0 Karma

Path Finder

I wanted to see how usage looks like.
ex.. if we doing 30% of data in index or calculation of all events and space using or may be how it runs month to date and shows usage looks like.

0 Karma

Path Finder

i have poweruser roles not the admin roles and if i try doing search with index=test

"index=test action=search" nuthing shows up it looks like no action field available for every index ??

0 Karma

SplunkTrust
SplunkTrust

Are you trying to find out how much data is written to index=test or how often 'index=test' is used in a search query?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

yes exactly both

0 Karma

Path Finder

any suggestions

0 Karma