Getting Data In

Index volume by host

jkeRE
Explorer

Hello,
i am searching for a CLI Search Command which gives me the result of the daily Indexed volume per Host.

Which is the same as i do it via the GUI / Browser -->
Splunk --> Status --> Index activity --> Indexing Volume --> Split by Host / Yesterday

THX J.

Tags (1)
1 Solution

jkeRE
Explorer

I found it!!!

Thank you very much.

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse" -auth test:test123

View solution in original post

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee
0 Karma

jkeRE
Explorer

I found it!!!

Thank you very much.

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | eval MB=b/1024/1034 | stats sum(MB) by h | sort sum(MB) | reverse" -auth test:test123

0 Karma

jkeRE
Explorer

Thanx,
this work !!

And what have i apend that the result is sort by most volume first?

0 Karma

jkeRE
Explorer

Hello,

what is wrong:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage | earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Unknown search command 'earliest'.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

earliest is a search parameter, so you want to do this:

/opt/splunk/bin/splunk search "index=_internal source=*license_usage.log type=Usage earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

--
Jesse Trucks
Minister of Magic

jspears
Communicator

earliest and latest, if used, must be placed before the first pipe.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

You can use time modifiers (it defaults to all time):

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

so preface your search with: earliest=-1d@d latest=-0d@d

That will go midnight to midnight for yesterday, for example.

Also, add: limit=0

To get all hosts (or limit=100 or whatever).

--
Jesse Trucks
Minister of Magic

jspears
Communicator

For "yesterday" you would include

earliest=-1d@d latest=@d

in your search before the first pipe.

Then I would use stats instead of timechart to give data for every host in a table format:

  | stats sum(GB) by h

jkeRE
Explorer

THX, i have already read this, but didn't find a solution.

I use this CLI -->

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false" -auth test:test123

My Problem is that - the output only has the first 10 Hosts --> (limits.conf --> maxseries = 200 ) - and the output is very long. i want to limit to the last day.

Have you a solution?

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I run this across the last two weeks and look at it fairly often:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false | reverse

You could adapt that for host use instead of source fairly easily...

--
Jesse Trucks
Minister of Magic

bosburn_splunk
Splunk Employee
Splunk Employee

You can find several different queries here - http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Brian

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...