Dashboards & Visualizations

Data Ingestion volume by group

phanikumarcs
Explorer

Hello @ITWhisperer ,

i am trying to get the details of "the volume of data ingestion, broken down by index group"

i tried this SPL unable to get the results in the table

index=summary source="splunk-ingestion"
|dedup keepempty=t _time idx
|stats sum(ingestion_gb) as ingestion_gb by _time idx
|bin _time span=1h
|eval ingestion_gb=round(ingestion_gb,3)
|eval group_field=if(searchmatch("idx=.*micro.*group1"), "group1",searchmatch("idx=.*soft.*"), "group2", true(), "other")
|timechart limit=0 span=1d sum(ingestion_gb) as GB by group_field

We are having list of indexes like:
AZ_micro
micro
AD_micro
Az_soft
soft
AZ_soft


From the above indexes 'micro' are grouped under the name 'microgroup', while the indexes 'soft' are grouped under 'softgroup', and so on like below.

so, in the table i want to show the volume of the "groups" like
------------------------------------------
group name         |               volume
------------------------------------------
microgroup         |              <0000>
softgroup             |              <0000>

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your expected output doesn't have a time element so why are you using timechart, or indeed bin _time?

0 Karma

phanikumarcs
Explorer

@ITWhisperer extremely sorry to write in the table, need time as well.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Why use bin span=1h and then use span=1d in the timechart? The bin span=1h is redundant.

What does our timechart search give you and why does it not match your requirement?

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...