Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- License Usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the search that is used to calculate the indexing volume under the status tab in the search app.
I think the data comes from the index=_internal source="*license_usage.log"
I can't get the math right I am using | eval mb=b/1048576 | stats sum(mb) by h
But this is not giving me the same number at the indexing volume search
Anyone know how they calculate this number??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here it is:
index=_internal source=*metrics.log group=X | eval MB=kb/1024
I found it in the XML for the view, under Manager » User interface » Views » indexing_volume
The X should be one of the group field values
- per_index_thruput
- per_sourcetype_thruput
- per_source_thruput
- per_host_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="_internal" source="*metrics*" group=per_index_thruput NOT series="_*" | stats sum(kb) as KB_indexed by date_month ,date_mday,date_year,splunk_server | eventcount summarize=false report_size=true index=* | fields index count server size_bytes | sort - count
But this is the index size then to get proper license usage the following search would be best:
sum per day per pool for the previous days : index=_internal source=*license_usage* type=RolloverSummary | bucket _time span=1d | stats sum(b) AS volume by _time pool
detail per pool: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
detail per source type : index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false
detail per host: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false
detail per indexer: index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by i useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Marco and Ms Guinn
his search comes close
| eval MB=b/1024/1024 | timechart span=1d sum(MB) by h
I get 559.109342 with the search above and for the same time period I get 560.3007612295 when I use the indexing_volume view mentioned above
Can you try on your system to see if you can reconcile the difference???
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
