- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Evaluating the size (MB/GB) of a specific Source.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Evaluating the size (MB/GB) of a specific Source.
Every time there is a 'build' performed on our code a new log is created in the tool which is fed to Splunk and in Splunk that comes under as a new 'source'.
Example : If in Splunk there are 6 sources now and a new build is performed on our server then you see the source count will become 7. Every 5 days the build logs are deleted from the server , hence it gets automatically vanished from Splunk sources as well.
The question is, Is it possible to know the size of each source (build log) in MB/Gb (not linecount).
The sources look like,
/bsahare/bsassian/application-data/rambo/xml-data/builds/1
/bsahare/bsassian/application-data/rambo/xml-data/builds/2"
/bsahare/bsassian/application-data/rambo/xml-data/builds/234"
/bsahare/bsassian/application-data/rambo/xml-data/builds/45"
etc...
So the query starts like ,
| index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*"
And I am not a Splunk Administartor so my privileges are limited as a User.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably not, unless the size of the build is fed into splunk in that same record, or some other way.
On the other hand, if splunk is receiving the entire build code, then YES, approximately. Try running something like this, and see if the answer (mySize) makes any sense as being the size of a build in bytes.
index=rambo host=GA20htkram001 source="/bsahare/bsassian/application-data/rambo/xml-data/builds/*"
| eval mySize=len(_raw)
| stats sum(mySize) as mySize by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your assistance.
Just wanted to confirm again, if we indeed get the results in "bytes"?
IF yes, then that's totally awesome. We can get it converted to GB or MB and make it work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI, the above can also be accomplished with tstats, and that's the way to go in the long run if the data is there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you please give an example with sample query on how to do the same with tstats
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
