Solved: Re: How do you calculate the daily indexed events ...

appleman · ‎08-11-2014

Hello.

I'd like to know how to calculate the daily indexed events and volume on search head.

When I checked the license master, it calculated only the previous month (last 30 days), but I want to know the trend in the whole year.

How do I do that?

Now about 3.8 billion events were indexed in Splunk, is it even possible to go calculate all to see the trend?

Thank you.

strive · ‎08-11-2014

Try this

index=_internal source=*license_usage.log | eval GB=b/1024/1024/1024 | bucket _time span=1d | stats sum(GB) as GB_Indexed by _time

You can use i, h, s and etc.. in stats group by.

i for indexer

h for host

s for source

strive · ‎08-11-2014

Try this

index=_internal source=*license_usage.log | eval GB=b/1024/1024/1024 | bucket _time span=1d | stats sum(GB) as GB_Indexed by _time

You can use i, h, s and etc.. in stats group by.

i for indexer

h for host

s for source

appleman · ‎08-11-2014

Thank you. But the thing is, I have to run this query on license master, right?

appleman · ‎08-11-2014

And I don't want to count index=_internal since it doesn't count as indexed volume for license.

How do you calculate the daily indexed events or volume on search head, not on license master?