Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor and report the amount of data indexed per host?

feickertmd
Communicator
‎11-19-2014 12:08 PM

How can I use Splunk to tell me how much data per day each host is forwarding to Splunk? Basically, I need a report that shows the host name and how much data it passed through the Splunk forwarder in bytes.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-19-2014 12:37 PM

This might help

index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-19-2014 12:37 PM

This might help

index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0
Reply
Solved! Jump to solution

feickertmd
Communicator
‎11-19-2014 01:20 PM

This is good, but it gives the average per event. I need aggregate average per day.

I combined yours with the elements here: http://answers.splunk.com/answers/79026/average-count-by-day.html

That worked out nicely. Final query looks like this:
index=_internal sourcetype=splunkd group=per_host_thruput earliest=-1mon@mon latest=@mon | bucket _time span=1d | stats sum(kb) as total by series,_time | stats avg(total) as average by series
|eval averageMB=round(average/1024,2)
|fields - average
|rename series as "Host Server",averageMB as "Average size per day in MB"

0 Karma
Reply
Solved! Jump to solution

feickertmd
Communicator
‎11-20-2014 09:22 AM

So while this report is nice, It shows only 31 hosts as belonging to the series field. We have 57 hosts overall. Why would I not see them all in this report?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-19-2014 12:21 PM

Hi feickertmd,

use the license usage report for this, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/AboutSplunksLicenseUsageReportView

cheers, MuS

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...