Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Estimate Volume of Average Events Per Hour (in MB) for an Index/Sourcetype

SplunkDash
Motivator
‎11-18-2021 10:16 AM

Hello,

I can estimate the # of average events SPLUNK has for an index/sourcetype using following line of query /codes. How I would estimate the average Volume of data (in MB) SPLUNK receives per our for that index.  Thank you so much, appreciate your support.

Query to Estimate # of Ave Events per hour:

index=win_test sourcetype=* |bucket _time span=1h|stats count by _time|stats avg(count) as "Ave Events per Hour"

 

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 01:05 PM

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw))) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-18-2021 03:37 PM

index=_internal source=*metrics.log group=per_sourcetype_thruput earliest=-7d@d
| bucket _time span=1h
| stats sum(kb) AS size_kb BY _time series
| eval size_mb=size_kb/1024
| eval event_hour=strftime(_time, "%H:%M")
| rename series AS data_source
| chart limit=24 avg(size_mb) AS size_mb by data_source event_hour
| fillnull value="0.00"
| addtotals fieldname="hourly_avg"
| eval hourly_avg=ROUND(hourly_avg/24, 2)
| foreach *:* hourly_avg [| eval <<FIELD>>=ROUND('<<FIELD>>', 2)]

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 01:05 PM

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw))) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tro
Path Finder
‎09-23-2022 12:31 AM
@richgalloway wrote:

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw)) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

You query contains mismatched parenthesis on `sum` line.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 04:50 AM

Fixed.  Thanks for letting me know.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...