Getting Data In

Total number if indexed volume for all hosts per day

mike7860
Explorer

I would like to generate a report that'll list all the indexes and indexed volume usage for all the servers in my environment. When I am using the following expression, it is displaying incorrect info.
index=_internal group="per_index_thruput" | dedup series | table series kb | eval gb = round(kb/1024, 2) | fields - kb | rename gb as sum(GB) | addcoltotals

All the indexes are listed along with their usages, but the results do not tally with the results obtained from clicking Status -> Index activity -> Index volume. I do not want to use the results from the status tab as I am unable to do modifications like changing the usage into MB and adding totals of indexed volume usage.

Tags (1)
0 Karma

pshumate
Explorer

Quick visualization of the ingest:


earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput" | timechart per_second(kb) as " kbps" by series

and a answer to the question:


earliest=-2d@d latest=-1d@d index=_internal group="per_index_thruput"
| eval rmb = round(kb/1024, 2)
| eval rgb = round(rmb/1024, 2)
| eval mb = kb/1024
| eval gb = (kb/1024)/1024
| stats sum(kb) as "Total KB", sum(rmb) AS "Rounded MB", sum(rgb) AS "Rounded GB", sum(mb) as "Total MB", sum(gb) AS "Total GB" by series

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...