- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: Find Historical Index Volume Usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Find Historical Index Volume Usage
I am operating on an old 4.3.1 instance of Splunk. Recently I've built up our infrastructure with three new Indexers/Deployment Servers and two new search heads. I am able to view the index volume usage for the past two months since I started the project, but I am unable to obtain historical data pertaining to the volume of events being indexed.
This Splunk-base question worked perfectly for the past 2 months of data, but I cannot see anything beyond that. When I search for data previous to this time, I receive "No results found". This is the search string I have been using.
index=_internal source=*metrics.log splunk_server="local" | eval MB=kb/1024 | search group="per_index_thruput" | chart sum(MB) by series | sort - sum(MB)
I believe the problem may lie in there not being any metric logs beyond that point in time, is there any way to have Splunk evaluate all indexed events from a certain time/date/range and show me how much has been indexed on those days? I am evaluating my past license usage in preparation to create a business case to present to my execs to purchase a larger license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has to do with the data retention policy on the _internal index.
Look at: indexes.conf
Specifically the setting for: frozenTimePeriodInSecs
If you increase that, you should be able to store larger periods in your _internal index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it looks like there is nothing in my _internal index for anything beyond two months ago. I have definitely used a few search strings to find answers like this before, but there's simply nothing in that index currently.
Checked the Splunk Manager: "Earliest Event: May 14, 2013 6:57:20 AM"
Is there anyway to pull index volume usage from before this time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you check whether your _internal index has the historical data for anything for that period?
You can also try this search to get the usage.
index=_internal source="license_usage." |eval GB=b/1024/1024/1024)|rename GB as Usage_Stats
Advanced Splunk Data Management Strategies
Uncovering Multi-Account Fraud with Splunk Banking Analytics
Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...
