Getting Data In

sourcetypes size trend

SplunkySplunk
Explorer

Hello

What is the best way to calculate sourcetypes size trend by time  index and level ?

 

i tried this two options but couldn't find a way to see the trend :

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 | stats sum(GB) by st idx

 

index=*   | eval raw_len=len(_raw)/1024/1024/1024 | stats sum(raw_len) as totalsize  count as NumberOfEvent by index sourcetype | sort -NumberOfEvent
| fields - NumberOfEvent
Labels (1)
Tags (2)
0 Karma

renjith_nair
Legend

Try including the _time as well in your search 

Either using timechart or by _time bucket 

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 |timchart span=1d sum(gb) by st

 

or

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 |bin _time span=1d 
| stats sum(GB) by _time,st
Happy Splunking!
0 Karma

sarit_s
Communicator

Hello

It looks good but once im clicking on one of the graphs its shows no results:

sarit_s_0-1701680370824.pngsarit_s_1-1701680389468.png

also, i want to visualize by Level as well

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...