Getting Data In
Highlighted

Total number of indexed volume per day

Path Finder

Hi,

Currently I have a splunk server receiving logs from few servers.

I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.

This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)

Thanks

Tags (2)
0 Karma
Highlighted

Re: Total number of indexed volume per day

Splunk Employee
Splunk Employee

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

View solution in original post

Highlighted

Re: Total number of indexed volume per day

Path Finder

Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?

0 Karma
Highlighted

Re: Total number of indexed volume per day

Splunk Employee
Splunk Employee

I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.

0 Karma
Highlighted

Re: Total number of indexed volume per day

Path Finder
0 Karma
Highlighted

Re: Total number of indexed volume per day

Explorer

another query posted and another that doesnt work.. for me anyway.

0 Karma
Highlighted

Re: Total number of indexed volume per day

Path Finder

Some updates,

I am scheduling this search(Daily Indexed Volume) now:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

0 Karma
Highlighted

Re: Total number of indexed volume per day

Ultra Champion

Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.

0 Karma