Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Stored events per indexer graph?

PaulEscher
Explorer
‎05-06-2011 11:12 AM

On the summary page, under Global summary, there is an "Events indexed" number. I'd like to be able to see the number of events indexed per indexer over time.

Is there a daily summary number for indexed events per indexer?

This would show me if there is any missing data and also if the indexers are taking an equal number of events overtime.

Thanks,
Paul

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-06-2011 04:36 PM

You might consider using bytes indexed rather than the count of events if you're just looking for patterns and comparisons. Splunk records this in license_audit.log on each indexer each day:

index=_internal source=*license_audit.log | timechart span=1d sum(todaysBytesIndexed) as prevDaysBytesIndexed by splunk_server

If you must use the event count, you can use:

index=_internal source=*metrics.log "group=thruput" "name=index_thruput" | timechart span=1d sum(ev) as events by splunk_server

This is a somewhat more expensive search, though not really that bad.

Reply

PaulEscher
Explorer
‎05-06-2011 08:14 PM

Is the "Events Indexed" number telling me how many events were indexed up to that point, or the number of events that are indexed currently (as in the buckets and available for searching)?

I'd like to track that number, but per indexer, in the case of file corruption or something similar.

I'll try your second query and see what I get.

Thanks,
Paul

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎05-06-2011 02:13 PM

so, the search that populates that view is this: 

| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | stats sum(Count)

You can setup a saved search that writes to a summary index every night at 00:00
Then you will have single values for each 24 hour period and see how your data grows everyday.
Again, this will be number of events, so if you wanted to know actual size you would want to run other searches.

Hope this helps,

.gz

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-06-2011 04:27 PM

This has a couple of problems. First, it only shows a total, so you can only get daily counts by storing and computing the difference between runs. Second and more importantly, the metadata command does not split out counts by indexer.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...