Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Total number of indexed volume per day

apro
Path Finder
‎06-21-2010 08:18 AM

Hi,

Currently I have a splunk server receiving logs from few servers.

I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.

This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

View solution in original post

Reply
Solved! Jump to solution

apro
Path Finder
‎06-25-2010 06:18 AM

Some updates,

I am scheduling this search(Daily Indexed Volume) now:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎02-11-2013 08:47 AM

Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-24-2016 03:46 PM

another query posted and another that doesnt work.. for me anyway.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-24-2010 06:01 AM

Hi, have created new question here ->

http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume

thanks.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎06-23-2010 03:11 PM

I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-23-2010 10:10 AM

Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...