Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Amount of data sent by forwarder Vs Amount of data indexed Vs License usage Vol. Vs Size of Indexed data on Disk

splunker12er
Motivator
‎06-11-2015 02:05 AM

Amount of data sent by forwarder Vs Amount of data indexed Vs License usage Vol. Vs Size of Indexed data on Disk

ideally,
Amount of data sent by forwarder = Amount of data indexed (Considering no logs are directed to nullqueue)
E.g. 60MB data / min (Splunk forwarder ---> Splunk Indexer)

Here, are my assumptions,
Amount of data sent = 60mb
Amount of data indexed = 60mb
License usage = 60mb
Size of indexed data on disk = ? (Is there any metrics to identify this field ?)

I do run various search against metrics.log to analyze:

  1. speed of indexing
  2. amount of data sent by hosts from forwarder to indexer
  3. License usage by hosts

Is there any way we can correlate the above fields and derive the size of indexed data on disk? Any help is much appreciated. I would like to create a dashboard comparing these fields / on a daily-basis

help on this will be much useful

Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-11-2015 11:06 AM

running this search will give you disk consumption by index & splunk_server:

| rest /services/data/indexes
| eval indexSizeGB = if(currentDBSizeMB > 1, round(currentDBSizeMB / 1024, 2), null())
| rename title AS index
| stats first(indexSizeGB) AS "Disk Usage (GB)" by index, splunk_server

NOTE: This Information is exposed in the "Indexes & Volumes" views of the Distributed Management Console as of 6.3.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...