Solved: Re: How to determine index volume by sourcetype?

echojacques · ‎09-15-2014

Hello,

How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have a big spike in my index volume that threatens my license cap and I'm trying to find the best way to determine the cause of the spike. If I can create a chart that shows volume by sourcetype (over X hours) then I can identify the culprit and dig in from there.

Or even better, is there a search that I can run that actually identifies the cause of the spike (not just the sourectype)?

Thanks!

ykherianDEPRECA · ‎09-15-2014

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

View solution in original post

ykherianDEPRECA · ‎09-15-2014

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

echojacques · ‎09-15-2014

Thanks, the link ( http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume ) is very helpful.

How to determine index volume by sourcetype?

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]