Solved: How to determine index volume by sourcetype?

echojacques · ‎09-15-2014

Hello,

How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have a big spike in my index volume that threatens my license cap and I'm trying to find the best way to determine the cause of the spike. If I can create a chart that shows volume by sourcetype (over X hours) then I can identify the culprit and dig in from there.

Or even better, is there a search that I can run that actually identifies the cause of the spike (not just the sourectype)?

Thanks!

ykherianDEPRECA · ‎09-15-2014

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

View solution in original post

ykherianDEPRECA · ‎09-15-2014

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

echojacques · ‎09-15-2014

Thanks, the link ( http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume ) is very helpful.

How to determine index volume by sourcetype?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...