Re: Total number if indexed volume for all hosts p...

mike7860 · ‎11-02-2012

I would like to generate a report that'll list all the indexes and indexed volume usage for all the servers in my environment. When I am using the following expression, it is displaying incorrect info.
index=_internal group="per_index_thruput" | dedup series | table series kb | eval gb = round(kb/1024, 2) | fields - kb | rename gb as sum(GB) | addcoltotals

All the indexes are listed along with their usages, but the results do not tally with the results obtained from clicking Status -> Index activity -> Index volume. I do not want to use the results from the status tab as I am unable to do modifications like changing the usage into MB and adding totals of indexed volume usage.

pshumate · ‎11-02-2012

Quick visualization of the ingest:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" | timechart per_second(kb) as " kbps" by series

and a answer to the question:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" 

| eval rmb = round(kb/1024, 2) 

| eval rgb = round(rmb/1024, 2)

| eval mb = kb/1024

| eval gb = (kb/1024)/1024

| stats  sum(kb) as "Total KB", sum(rmb) AS "Rounded MB", sum(rgb) AS "Rounded GB", sum(mb) as "Total MB", sum(gb) AS "Total GB" by series

Total number if indexed volume for all hosts per day

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Total number if indexed volume for all hosts per day

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey