Getting Data In

How to create a chart of the total GB by source or sourcetype for a specific index?

fertlaloc
New Member

I'm new in Splunk, and I'm an autodidact. It's been a long time (years) since I have done anything with programming or commands, but Splunk, I like it.
In this moment, I have created an INDEX with around 90 sources and almost 100 Sourcetypes. My questions is, How to show the total GB by source or sourcetype for this specific INDEX? My Splunk instance has more sources and indexes.

gracias a todos amigos

0 Karma
1 Solution

somesoni2
Revered Legend

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)

View solution in original post

0 Karma

ddrillic
Ultra Champion

Hola,

You can also view the index sizes from the replication server, under Settings > Indexer clustering > Indexes -

alt text

Hasta luego

0 Karma

somesoni2
Revered Legend

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)

View solution in original post

0 Karma

fertlaloc
New Member

Thank you, was succesful, see you

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.