Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Estimate Volume of Average Events Per Hour (in MB) for an Index/Sourcetype

SplunkDash
Motivator
‎11-18-2021 10:16 AM

Hello,

I can estimate the # of average events SPLUNK has for an index/sourcetype using following line of query /codes. How I would estimate the average Volume of data (in MB) SPLUNK receives per our for that index.  Thank you so much, appreciate your support.

Query to Estimate # of Ave Events per hour:

index=win_test sourcetype=* |bucket _time span=1h|stats count by _time|stats avg(count) as "Ave Events per Hour"

 

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 01:05 PM

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw))) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-18-2021 03:37 PM

index=_internal source=*metrics.log group=per_sourcetype_thruput earliest=-7d@d
| bucket _time span=1h
| stats sum(kb) AS size_kb BY _time series
| eval size_mb=size_kb/1024
| eval event_hour=strftime(_time, "%H:%M")
| rename series AS data_source
| chart limit=24 avg(size_mb) AS size_mb by data_source event_hour
| fillnull value="0.00"
| addtotals fieldname="hourly_avg"
| eval hourly_avg=ROUND(hourly_avg/24, 2)
| foreach *:* hourly_avg [| eval <<FIELD>>=ROUND('<<FIELD>>', 2)]

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 01:05 PM

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw))) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tro
Path Finder
‎09-23-2022 12:31 AM
@richgalloway wrote:

I believe the Monitoring Console has a dashboard panel that will provide that information.

If you want to do it yourself, try this variation of your query.

 

index=win_test sourcetype=* 
| bucket _time span=1h
| stats sum(eval(len(_raw)) as bytes by _time
| stats avg(bytes) as avgBytes
| eval avgMB=avgBytes/1024/1024
| rename avgMB as "Ave MB per Hour"

 

You query contains mismatched parenthesis on `sum` line.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 04:50 AM

Fixed.  Thanks for letting me know.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...