Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- License Usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the search that is used to calculate the indexing volume under the status tab in the search app.
I think the data comes from the index=_internal source="*license_usage.log"
I can't get the math right I am using | eval mb=b/1048576 | stats sum(mb) by h
But this is not giving me the same number at the indexing volume search
Anyone know how they calculate this number??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="_internal" source="*metrics*" group=per_index_thruput NOT series="_*" | stats sum(kb) as KB_indexed by date_month ,date_mday,date_year,splunk_server | eventcount summarize=false report_size=true index=* | fields index count server size_bytes | sort - count
But this is the index size then to get proper license usage the following search would be best:
sum per day per pool for the previous days : index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool
detail per pool: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
detail per source type : index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
detail per host: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false
detail per indexer: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Marco and Ms Guinn
his search comes close
| eval MB=b/1024/1024 | timechart span=1d sum(MB) by h
I get 559.109342 with the search above and for the same time period I get 560.3007612295 when I use the indexing_volume view mentioned above
Can you try on your system to see if you can reconcile the difference???
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
