Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to determine how much disk space my sourcetype is taking up?

a212830
Champion
‎10-15-2014 03:13 PM

Hi,

Is there a way to determine how much disk space a sourcetype is using?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jlanders
Path Finder
‎10-15-2014 07:04 PM

So here's one option. You can see how much data you are indexing for a given time period per sourcetype. The general rule for Splunk disk storage is 1/2 X Indexing X Days. Example: 1/2 X 5 gb X 365 days = 912.5 GB of storage.

index=internal metrics kb series!=* "group=per_sourcetype_thruput" | stats sum(indexed_mb) by series

Another option might be using the dbinspect command:

| dbinspect index=my_index

If you can estimate the percentage of the index your sourcetype takes up, you can can an accurate estimate of the disk usage. Reference: http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Dbinspect

View solution in original post

Reply
Solved! Jump to solution
Solution

jlanders
Path Finder
‎10-15-2014 07:04 PM

So here's one option. You can see how much data you are indexing for a given time period per sourcetype. The general rule for Splunk disk storage is 1/2 X Indexing X Days. Example: 1/2 X 5 gb X 365 days = 912.5 GB of storage.

index=internal metrics kb series!=* "group=per_sourcetype_thruput" | stats sum(indexed_mb) by series

Another option might be using the dbinspect command:

| dbinspect index=my_index

If you can estimate the percentage of the index your sourcetype takes up, you can can an accurate estimate of the disk usage. Reference: http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Dbinspect

Reply
Solved! Jump to solution

awurster
Contributor
‎12-08-2014 03:57 PM

in 6.1 that didn't seem to work at all for me. i found success with the following:

index=_internal metrics kb group=per_sourcetype_thruput | eval sizeMB = round(kb/1024,2)| stats sum(sizeMB) by series | sort -sum(sizeMB) | rename sum(sizeMB) AS "Size on Disk (MB)"
Reply
Solved! Jump to solution

chadmedeiros
Path Finder
‎07-24-2018 09:19 PM

I would be careful to convert to MB and round after sum'ing, not before

0 Karma
Reply
Solved! Jump to solution

TomSquare31
Engager
‎01-06-2017 09:18 AM

Utilized your method @awurster and it worked perfectly. Thanks

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...