Getting Data In
Highlighted

Index volume by host

Explorer

Hello,
i am searching for a CLI Search Command which gives me the result of the daily Indexed volume per Host.

Which is the same as i do it via the GUI / Browser -->
Splunk --> Status --> Index activity --> Indexing Volume --> Split by Host / Yesterday

THX J.

Tags (1)
Highlighted

Re: Index volume by host

Contributor

You can find several different queries here - http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

Brian

Highlighted

Re: Index volume by host

Motivator

I run this across the last two weeks and look at it fairly often:

index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false | reverse

You could adapt that for host use instead of source fairly easily...

Highlighted

Re: Index volume by host

Explorer

THX, i have already read this, but didn't find a solution.

I use this CLI -->

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false" -auth test:test123

My Problem is that - the output only has the first 10 Hosts --> (limits.conf --> maxseries = 200 ) - and the output is very long. i want to limit to the last day.

Have you a solution?

0 Karma
Highlighted

Re: Index volume by host

Communicator

For "yesterday" you would include

earliest=-1d@d latest=@d

in your search before the first pipe.

Then I would use stats instead of timechart to give data for every host in a table format:

  | stats sum(GB) by h
Highlighted

Re: Index volume by host

Motivator

You can use time modifiers (it defaults to all time):

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

so preface your search with: earliest=-1d@d latest=-0d@d

That will go midnight to midnight for yesterday, for example.

Also, add: limit=0

To get all hosts (or limit=100 or whatever).

Highlighted

Re: Index volume by host

Explorer

Hello,

what is wrong:

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage | earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Unknown search command 'earliest'.

0 Karma
Highlighted

Re: Index volume by host

Communicator

earliest and latest, if used, must be placed before the first pipe.

0 Karma
Highlighted

Re: Index volume by host

Motivator

earliest is a search parameter, so you want to do this:

/opt/splunk/bin/splunk search "index=internal source=*licenseusage.log type=Usage earliest=-1d@d | eval GB=b/1024/1024/1024 | stats sum(GB) by h | reverse" -auth test:test123

Highlighted

Re: Index volume by host

Explorer

Thanx,
this work !!

And what have i apend that the result is sort by most volume first?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.