Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: License Usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the search that is used to calculate the indexing volume under the status tab in the search app.
I think the data comes from the index=_internal source="*license_usage.log"
I can't get the math right I am using | eval mb=b/1048576 | stats sum(mb) by h
But this is not giving me the same number at the indexing volume search
Anyone know how they calculate this number??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="_internal" source="*metrics*" group=per_index_thruput NOT series="_*" | stats sum(kb) as KB_indexed by date_month ,date_mday,date_year,splunk_server | eventcount summarize=false report_size=true index=* | fields index count server size_bytes | sort - count
But this is the index size then to get proper license usage the following search would be best:
sum per day per pool for the previous days : index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool
detail per pool: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
detail per source type : index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
detail per host: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false
detail per indexer: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Marco and Ms Guinn
his search comes close
| eval MB=b/1024/1024 | timechart span=1d sum(MB) by h
I get 559.109342 with the search above and for the same time period I get 560.3007612295 when I use the indexing_volume view mentioned above
Can you try on your system to see if you can reconcile the difference???
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
