we have daily ingestion of 7 TB but how do i know ...

deepthi5

splunk query to find how much data is coming via hec , how much data is coming via dbconnect , how much data is coming via Universal forwarder per day

isoutamo

1st you must know what are those sources or access points what you want to calculate. Then you need to define which sources are coming through those.

Then you need to calculate totals per input types like HEC, DBX and UF.

You can use those examples from @gcusello and @PrewinThomas to get information from individual nodes, indexes etc. but you cannot get that by access type as easily.

PrewinThomas

@deepthi5

As @gcusello mentioned, you can check on your license server. Also you can try below query,

index=_internal sourcetype=splunkd source=*license_usage.log* type=Usage
| eval GB = round(b/1024/1024/1024, 2)
| stats sum(GB) AS "Total GB" by s, st, idx
| sort - "Total GB" | rename s as Source st as Sourcetype idx as Index

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

gcusello

Hi @deepthi5 ,

did you tried to use [Settings > Licensing > License Usage > Past 30 days > Splut by source] ?

Ciao.

Giuseppe

we have daily ingestion of 7 TB but how do i know which source is sending how much data

universal forwarder

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

we have daily ingestion of 7 TB but how do i know which source is sending how much data

universal forwarder

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine