How to create a search and dashboard to display th...

sympatiko · ‎03-29-2015

Hi splunkers,

Good day! I just to ask if possible to see the per index volume usage? Let's just say I have multiple indexes like index1 index2 index3. Then I want to create a dashboard that will check index1 index2 and index3 daily volume usage? Is it possible?

Thanks,

masonmorales · ‎03-30-2015

You can check-out an app I wrote for this too, it's free: https://splunkbase.splunk.com/app/2678/

mendesjo · ‎02-24-2016

what a great looking app. Like allot of other apps and queries you find on here try it or install it, doesn't work. Install it, no issue, load up the dashboard wow looks great. Let's use it.. go to license usage.. says populating, drum roll.. nothing no data.

ChrisG · ‎03-30-2015

Are you using Splunk Enterprise 6.x? Use the License Usage Reporting View. Settings > Licensing > Usage Report. See About the Splunk Enterprise license usage report view in the Admin Manual for more information.

Tanefo · ‎03-30-2015

hi
it yes possible
index=* OR index=_*| stats count(Volume) by index
you will need to replace Volume by the field name which represente your volume in the index
for other information concerning this please let me know.
thanks and regards

sympatiko · ‎03-30-2015

By the way Im doing this in a cluster mode. RF=3 SF=3

mendesjo · ‎02-24-2016

Why do these queries only show your top 10 indexes? I must be missing something obvious, It shows 10 indexes usually in a column.. but where are all the rest?

sympatiko · ‎03-30-2015

Hi, thanks for the reply. Sorry Im just new to splunk, what is that particular field?

Tanefo · ‎03-30-2015

sorry sympatiko move Volume and run just

index=* OR index=_*| stats count by index

it give you eventypes volume by index but if you want data volume( like MB, GB) i think that its not possible.
you can just see volume data in this path: -> Settings -> Indexes

Tanefo · ‎03-30-2015

it give you eventypes volume by index but if you want data volume( like MB, GB) i think that its not possible

sympatiko · ‎03-30-2015

Thanks for your help. I'll give it a shot. Thanks so much, long live!

satishsdange · ‎03-30-2015

If you are admin user, login into Splunk console -> Settings -> Indexes. It will give you index name, size, event count etc.

sympatiko · ‎03-30-2015

Hi, Im doing this in a cluster. Thanks

ngatchasandra · ‎03-30-2015

Hi sympatiko,
Try with this query, index=* OR index=_* |timechart span=1d count by index and you are going to see daily count by index.

Your query will be like: index=index1 OR index=index2 OR index= index3 |timechart span=1d count(volume) by index where volume is your field .

sympatiko · ‎03-30-2015

Hi, thanks for the reply. Sorry Im just new to splunk, what is that particular field?

ngatchasandra · ‎03-30-2015

Wich particular field?

sympatiko · ‎03-30-2015

Thanks casandra =). I'll try that one

ngatchasandra · ‎03-31-2015

Please if you don't satisfy let me now. If you satisfy, don't forget to vote.

ngatchasandra · ‎03-30-2015

Try only with index=index1 OR index=index2 OR index= index3 |timechart span=1d count by index

How to create a search and dashboard to display the daily license volume usage per index?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)