Getting Data In

Index volume by host

jkeRE
Explorer

Hello,
i am searching for a CLI Search Command which gives me the result of the daily Indexed volume per Host.

Which is the same as i do it via the GUI / Browser -->
Splunk --> Status --> Index activity --> Indexing Volume --> Split by Host / Yesterday

THX J.

Tags (1)
1 Solution

jkeRE
Explorer

I found it!!!

Thank you very much.

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse" -auth test:test123

View solution in original post

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee
0 Karma

jkeRE
Explorer

I found it!!!

Thank you very much.

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse" -auth test:test123

0 Karma

jkeRE
Explorer

Thanx,
this work !!

And what have i apend that the result is sort by most volume first?

0 Karma

jkeRE
Explorer

Hello,

what is wrong:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage | earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Unknown search command 'earliest'.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

earliest is a search parameter, so you want to do this:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

jspears
Communicator

earliest and latest, if used, must be placed before the first pipe.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

You can use time modifiers (it defaults to all time):

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

so preface your search with: earliest=-1d@d latest=-0d@d

That will go midnight to midnight for yesterday, for example.

Also, add: limit=0

To get all hosts (or limit=100 or whatever).

jspears
Communicator

For "yesterday" you would include

earliest=-1d@d latest=@d

in your search before the first pipe.

Then I would use stats instead of timechart to give data for every host in a table format:

  | stats sum(GB) by h

jkeRE
Explorer

THX, i have already read this, but didn't find a solution.

I use this CLI -->

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false" -auth test:test123

My Problem is that - the output only has the first 10 Hosts --> (limits.conf --> maxseries = 200 ) - and the output is very long. i want to limit to the last day.

Have you a solution?

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I run this across the last two weeks and look at it fairly often:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false | reverse

You could adapt that for host use instead of source fairly easily...

bosburn_splunk
Splunk Employee
Splunk Employee

You can find several different queries here - http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Brian

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...