Knowledge Management

How to determine the data volume associated to a group of hosts?

olopez77
Explorer

I have data comming into the corporate indexers from several business units (BU). Given a list of hosts owned by each BU, how do you determine how much data volume is associated to each BU?

Tags (1)
0 Karma

vincesesto
Communicator

Hey olopez77,

Have you checked out the Splunk License Usage app that is available:
http://splunk-base.splunk.com/apps/22382/splunk-license-usage

I think this should give you a good idea as to how you can set this up...One of the searches being performed on the dashboard does something like the following:

index="_internal" source="metrics.log" per_host_thruput | chart sum(kb) by series

So all you would really need to do is provide host details for each BU and you can get a total from that.

Hope that this helps, if not let me know and I would be happy to clarify.

Regards Vince

0 Karma

olopez77
Explorer

I'm not clear on how to "provide host details", I currently have over 22k hosts sending data. Each BU contributes data from several hundred hosts. The goal is to provide each BU a breakdown of how much volume each BU generates. I only have host lists (csv) to work from. Unfortunately, I have no mechanism in Splunk (i.e. tags, or dedicated indexes) that associate hosts to a BU.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...