Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Help to find daily indexed data size by each i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dhavamanis
Builder
06-10-2015
12:10 PM
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
06-10-2015
12:30 PM
Hi @dhavamanis
There are large number of the same, if not similar, question already posted on Answers. Do the search(es) in this post answer your question? There's an option per day and per month.
http://answers.splunk.com/answers/154773/how-to-create-a-report-that-shows-max-indexed-volume-per-da...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
06-10-2015
12:30 PM
Hi @dhavamanis
There are large number of the same, if not similar, question already posted on Answers. Do the search(es) in this post answer your question? There's an option per day and per month.
http://answers.splunk.com/answers/154773/how-to-create-a-report-that-shows-max-indexed-volume-per-da...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dhavamanis
Builder
06-10-2015
01:19 PM
Thanks, i have just added wildcard search for source to get the results.
index=_internal source="*license_usage.log*" type=Usage | eval yearmonthday=strftime(_time, "%Y%m%d") | eval yearmonth=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx yearmonthday yearmonth | chart sum(volume_b) over yearmonth by idx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
indut
Path Finder
02-20-2025
02:19 AM
hi, Why do we have 2 fields yearmonthday and yearmonth in this query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
indut
Path Finder
02-20-2025
02:50 PM
hi any update on this from anyone ? Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
06-10-2015
01:26 PM
Great, I'm glad it helped you find your solution 🙂
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
