Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I determine my indexing volume not by host, source, or sourcetype?

thepocketwade
Path Finder
‎01-06-2011 03:53 PM

I'm trying to determine what percentage of my daily indexing volume is made up of a specific group of logs. For example, I want to know the volume of all the logs with EventCode = 4720.

I know how to find total log volume over a given time period, but I haven't been able to get these strategies to work with the EventCode specification. Can I make this work?

Reply

Paolo_Prigione
Builder
‎01-06-2011 04:13 PM

I don't think Splunk can trace custom stats on log by default, but you could use a workaround: just aggregate the total length of the logs matching the eventcode. This would yeald a good approximation of the intended result.

Something like:

EventCode = 4720 | eval size=len(_raw) | stats sum(size) as totSize

As this might take a long time, you could store the results in the summary index: use a scheduled search (the example is hourly)

EventCode=4720 earliest=-1h@h latest=@h | eval size=len(_raw) | sistats sum(size) | collect index=<sumindex> marker="EventCode=4720"

then retrieve the data as:

index=<sumindex> EventCode=4720 | stats sum(size)
Reply

Lowell
Super Champion
‎01-06-2011 07:25 PM

Agreed. I think this is probably the only option. I would suggest that if you are going to sum up the bytes, you may as well also store a count of the events; to give you values more comparable to the builtin metrics. You could do something like: | stats eval(round(sum(size)/1024,2)) as total_kb, count as events you could from there calculate average rates too since you know the time span.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...