Hi,
Currently I have a splunk server receiving logs from few servers.
I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.
This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)
Thanks
You simply need to use the addtotals command:
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals
Some updates,
I am scheduling this search(Daily Indexed Volume) now:
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)
but it seems to be generating the following errors:
in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.
in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.
Any idea??
Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.
You simply need to use the addtotals command:
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals
another query posted and another that doesnt work.. for me anyway.
Hi, have created new question here ->
http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume
thanks.
I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.
Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?