Getting Data In

sourcetypes size trend

SplunkySplunk
Explorer

Hello

What is the best way to calculate sourcetypes size trend by time  index and level ?

 

i tried this two options but couldn't find a way to see the trend :

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 | stats sum(GB) by st idx

 

index=*   | eval raw_len=len(_raw)/1024/1024/1024 | stats sum(raw_len) as totalsize  count as NumberOfEvent by index sourcetype | sort -NumberOfEvent
| fields - NumberOfEvent
Labels (1)
Tags (2)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Try including the _time as well in your search 

Either using timechart or by _time bucket 

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 |timchart span=1d sum(gb) by st

 

or

index=_internal source=*license_usage.log*  type=Usage idx=*| eval GB=b/1024/1024/1024 |bin _time span=1d 
| stats sum(GB) by _time,st
Happy Splunking!
0 Karma

sarit_s
Communicator

Hello

It looks good but once im clicking on one of the graphs its shows no results:

sarit_s_0-1701680370824.pngsarit_s_1-1701680389468.png

also, i want to visualize by Level as well

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...