Solved: log file size

DataOrg · ‎04-08-2019

How to calculate file size size which is indexed in splunk.

For example
xx1.log
xx2.log
two files indexed at splunk and i want to calculate the size of the source after index.

whrg · ‎04-08-2019

Hello @premranjithj,

I use the following search to list the top sources by size:

index=_internal source="*license_usage.log" type=usage
| eval KB= b/1024| chart sum(KB) as sum_KB by s | eval sum_KB=round(sum_KB,0) | sort - sum_KB
| head 10
| rename s as source

Set the time picker accordingly, e.g. Last 24 hours.

if you want those two specific sources then use:

index=_internal source="*license_usage.log" type=usage (s="xx1.log" OR s="xx2.log")
| eval KB= b/1024| chart sum(KB) as sum_KB by s | eval sum_KB=round(sum_KB,0)
| rename s as source

View solution in original post

whrg · ‎04-08-2019

Hello @premranjithj,

I use the following search to list the top sources by size:

index=_internal source="*license_usage.log" type=usage
| eval KB= b/1024| chart sum(KB) as sum_KB by s | eval sum_KB=round(sum_KB,0) | sort - sum_KB
| head 10
| rename s as source

Set the time picker accordingly, e.g. Last 24 hours.

if you want those two specific sources then use:

index=_internal source="*license_usage.log" type=usage (s="xx1.log" OR s="xx2.log")
| eval KB= b/1024| chart sum(KB) as sum_KB by s | eval sum_KB=round(sum_KB,0)
| rename s as source

log file size

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation