e.g. index = X index = y
can I find out how big index x and y are? maybe the value in bytes?
Can you do some deduction by getting the sizeof a record and the number of events per day and ... calculate a figure that way?
I can tell you exactly how large those indexes are in terms of on disk, and raw size of the events with help of the dbinspect command.
Make sure your time window is set to all time and execute this:
| dbinspect index=X index=Y | stats sum(sizeOnDiskMB) sum(rawSize) by index | rename sum(*) -> *
That will give you the MB on disk for all buckets of each index, as well as the rawSize of the events in the index as well.
Is this what you're looking for?
I compared the output of -
at 24.144531 MBs
du -ks *
which shows -
$ du -ks *
The question is what is your goal that you need timechart? Are you trying to figure out daily license usage or something? (If so try searching on your license master for
index=_internal type=Usage (idx=X or idx=Y) | timechart span=1d sum(b) by idx or something similar if you have to account for multiple Splunk servers) alternatively if you're looking for change in actual disk use, then you'd likely take the search in the answer and do summary indexing on that data. But if you're running into the limits of disk as set into indexes.conf, that might not be as interesting.
dbinspect only has information about the
endEpoch for each bucket in this index.
timechart needs a
_time field to chart it - so either
rename any if the epoch fields which is useful for you or use
chart sum(sizeOnDiskMB) sum(rawSize) over startEpoch by index.
Maybe this will be useful ?