Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Total number of indexed volume per day

apro
Path Finder
‎06-21-2010 08:18 AM

Hi,

Currently I have a splunk server receiving logs from few servers.

I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.

This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

View solution in original post

Reply
Solved! Jump to solution

apro
Path Finder
‎06-25-2010 06:18 AM

Some updates,

I am scheduling this search(Daily Indexed Volume) now:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎02-11-2013 08:47 AM

Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎06-21-2010 04:45 PM

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-24-2016 03:46 PM

another query posted and another that doesnt work.. for me anyway.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-24-2010 06:01 AM

Hi, have created new question here ->

http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume

thanks.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎06-23-2010 03:11 PM

I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.

0 Karma
Reply
Solved! Jump to solution

apro
Path Finder
‎06-23-2010 10:10 AM

Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...