Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

we have daily ingestion of 7 TB but how do i know which source is sending how much data

deepthi5
Path Finder
‎09-30-2025 09:56 AM

splunk query to find how much data is coming via hec , how much data is coming via dbconnect , how much data is coming via Universal forwarder per day 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-05-2025 07:34 AM

1st you must know what are those sources or access points what you want to calculate. Then you need to define which sources are coming through those.

Then you need to calculate totals per input types like HEC, DBX and UF.

You can use those examples from @gcusello and @PrewinThomas to get information from individual nodes, indexes etc. but you cannot get that by access type as easily.

0 Karma
Reply

PrewinThomas
Motivator
‎10-01-2025 08:57 PM

@deepthi5 

As @gcusello  mentioned, you can check on your license server. Also you can try below query,

index=_internal sourcetype=splunkd source=*license_usage.log* type=Usage
| eval GB = round(b/1024/1024/1024, 2)
| stats sum(GB) AS "Total GB" by s, st, idx
| sort - "Total GB" | rename s as Source st as Sourcetype idx as Index

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-30-2025 11:43 PM

Hi @deepthi5 ,

did you tried to use [Settings > Licensing > License Usage > Past 30 days > Splut by source] ?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...