Thanx,
this work !!

And what have i apend that the result is sort by most volume first?

Hello,

what is wrong:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage | earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Unknown search command 'earliest'.

You can use time modifiers (it defaults to all time):

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

so preface your search with: earliest=-1d@d latest=-0d@d

That will go midnight to midnight for yesterday, for example.

Also, add: limit=0

To get all hosts (or limit=100 or whatever).

For "yesterday" you would include

earliest=-1d@d latest=@d

in your search before the first pipe.

Then I would use stats instead of timechart to give data for every host in a table format:

  | stats sum(GB) by h

THX, i have already read this, but didn't find a solution.

I use this CLI -->

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false" -auth test:test123

My Problem is that - the output only has the first 10 Hosts --> (limits.conf --> maxseries = 200 ) - and the output is very long. i want to limit to the last day.

Have you a solution?

I run this across the last two weeks and look at it fairly often:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false | reverse

You could adapt that for host use instead of source fairly easily...

You can find several different queries here - http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Brian