Re: Total number if indexed volume for all hosts p...

mike7860 · ‎11-02-2012

I would like to generate a report that'll list all the indexes and indexed volume usage for all the servers in my environment. When I am using the following expression, it is displaying incorrect info.
index=_internal group="per_index_thruput" | dedup series | table series kb | eval gb = round(kb/1024, 2) | fields - kb | rename gb as sum(GB) | addcoltotals

All the indexes are listed along with their usages, but the results do not tally with the results obtained from clicking Status -> Index activity -> Index volume. I do not want to use the results from the status tab as I am unable to do modifications like changing the usage into MB and adding totals of indexed volume usage.

pshumate · ‎11-02-2012

Quick visualization of the ingest:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" | timechart per_second(kb) as " kbps" by series

and a answer to the question:



earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" 

| eval rmb = round(kb/1024, 2) 

| eval rgb = round(rmb/1024, 2)

| eval mb = kb/1024

| eval gb = (kb/1024)/1024

| stats  sum(kb) as "Total KB", sum(rmb) AS "Rounded MB", sum(rgb) AS "Rounded GB", sum(mb) as "Total MB", sum(gb) AS "Total GB" by series

Total number if indexed volume for all hosts per day

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation