Installation

Find Historical Index Volume Usage

sdyawg
Engager

I am operating on an old 4.3.1 instance of Splunk. Recently I've built up our infrastructure with three new Indexers/Deployment Servers and two new search heads. I am able to view the index volume usage for the past two months since I started the project, but I am unable to obtain historical data pertaining to the volume of events being indexed.

This Splunk-base question worked perfectly for the past 2 months of data, but I cannot see anything beyond that. When I search for data previous to this time, I receive "No results found". This is the search string I have been using.

index=_internal source=*metrics.log splunk_server="local" | eval MB=kb/1024 | search group="per_index_thruput" | chart sum(MB) by series | sort - sum(MB)

I believe the problem may lie in there not being any metric logs beyond that point in time, is there any way to have Splunk evaluate all indexed events from a certain time/date/range and show me how much has been indexed on those days? I am evaluating my past license usage in preparation to create a business case to present to my execs to purchase a larger license.

Tags (2)
0 Karma

tiny3001
Path Finder

This has to do with the data retention policy on the _internal index.

Look at: indexes.conf

Specifically the setting for: frozenTimePeriodInSecs

If you increase that, you should be able to store larger periods in your _internal index.

0 Karma

sdyawg
Engager

it looks like there is nothing in my _internal index for anything beyond two months ago. I have definitely used a few search strings to find answers like this before, but there's simply nothing in that index currently.

Checked the Splunk Manager: "Earliest Event: May 14, 2013 6:57:20 AM"

Is there anyway to pull index volume usage from before this time?

0 Karma

linu1988
Champion

Could you check whether your _internal index has the historical data for anything for that period?
You can also try this search to get the usage.
index=_internal source="license_usage." |eval GB=b/1024/1024/1024)|rename GB as Usage_Stats

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...