Getting Data In

How to create a chart of the total GB by source or sourcetype for a specific index?

New Member

I'm new in Splunk, and I'm an autodidact. It's been a long time (years) since I have done anything with programming or commands, but Splunk, I like it.
In this moment, I have created an INDEX with around 90 sources and almost 100 Sourcetypes. My questions is, How to show the total GB by source or sourcetype for this specific INDEX? My Splunk instance has more sources and indexes.

gracias a todos amigos

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)

View solution in original post

0 Karma

Ultra Champion

Hola,

You can also view the index sizes from the replication server, under Settings > Indexer clustering > Indexes -

alt text

Hasta luego

0 Karma

SplunkTrust
SplunkTrust

Run this from your license master node. You may be able to run this on regular search head if you're forwarding license master node to indexers.

For license usage by source

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by s | eval gb=round(b/(1024*1024*1024),4)

For sourcetypes

index=_internal source=*license_usage.log type=usage idex=YourIndex | stats sum(b) as bytes by st | eval gb=round(b/(1024*1024*1024),4)

View solution in original post

0 Karma

New Member

Thank you, was succesful, see you

0 Karma