Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I find out how much volume hosts are sending to my "main" index?

johnblakley
Explorer
‎09-27-2017 08:43 AM

I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back

From:

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

To:

index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)

But, with only:

index="main" source="WMI:WinEventLog:Security"

Brings back 2710 results from today.

I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....

0 Karma
Reply

sbbadri
Motivator
‎09-27-2017 09:47 AM

@johnblakley

Please try with below query,

index=_internal source=*license_usage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin _time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)

There is one app in splunkbase named meta woot. It will give some more capabilities.

https://splunkbase.splunk.com/app/2949/

0 Karma
Reply

johnblakley
Explorer
‎09-27-2017 11:29 AM

Your search didn't work. It resulted in nothing found. Metawoot doesn't find anything and it doesn't seem like I can change the index to anything but "All".

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...