Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine index volume by sourcetype?

echojacques
Builder
‎09-15-2014 10:16 AM

Hello,

How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have a big spike in my index volume that threatens my license cap and I'm trying to find the best way to determine the cause of the spike. If I can create a chart that shows volume by sourcetype (over X hours) then I can identify the culprit and dig in from there.

Or even better, is there a search that I can run that actually identifies the cause of the spike (not just the sourectype)?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

ykherianDEPRECA
Splunk Employee
Splunk Employee
‎09-15-2014 10:50 AM

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

View solution in original post

Reply
Solved! Jump to solution
Solution

ykherianDEPRECA
Splunk Employee
Splunk Employee
‎09-15-2014 10:50 AM

Trust the license usage (not the metrics) form the license-master.

Example for the size for yesterday

earliest=-1d@d latest=@d  index=_internal source=*license_usage.log* type=Usage 
| stats sum(b) AS Bytes by st 
| sort -Bytes

see more here : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Reply
Solved! Jump to solution

echojacques
Builder
‎09-15-2014 01:26 PM

Thanks, the link ( http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume ) is very helpful.

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...