Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Daily Ingest per index for last 7 days

Splunkerninja
Path Finder
‎04-24-2024 01:28 AM

Hi , I came across many queries to calculate daily ingest per index for last 7 days but I am not getting the expected results.

 

Can you please guide me with the query to calculate the daily ingest per index in GB for last 7 days?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-24-2024 05:11 AM

Hi @Splunkerninja,

You can use below query;

index=_internal source=*license_usage.log* type="Usage" 
| timechart span=1d eval(round(sum(b)/1024/1024/1024,3)) as GB by idx

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-24-2024 05:11 AM

Hi @Splunkerninja,

You can use below query;

index=_internal source=*license_usage.log* type="Usage" 
| timechart span=1d eval(round(sum(b)/1024/1024/1024,3)) as GB by idx

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-24-2024 02:21 AM

Hi @Splunkerninja,

do you want to calcuate the icense consuption or the number of events per index and per day?

In the first case see at [Settings > License > License Consuption past 60 days > by Index], or run this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

In the second case, you could try something ike this:

index=*
| bin span=1d _time
| chart count OVER index BY _time

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Splunkerninja
Path Finder
‎04-24-2024 02:45 AM

The first query is not giving me any results. Even i replaced the macro with actualy query it gives zero result.

 

I basically want the total of daily ingest of each index over 7 days

index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [ search index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <>=round('<>'/1024/1024/1024, 3)]

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-24-2024 02:59 AM

Hi @Splunkerninja ,

does the search in [Settings > License > License Consuption > last 60 days > divided by index] run?

I only copied this search.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Splunkerninja
Path Finder
‎04-24-2024 04:26 AM

@gcusello @bowesmana  We are on splunk cloud and we use workload based management for licenseing i.e SVC . So the query which you are giving is not giving aggregate daily ingest per index for last 7 days

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-24-2024 02:18 AM

so what did you try and what gave you the wrong results

This is the basic search

index=_internal source=/opt/splunk/var/log/splunk/license_usage.log idx=* st=*
| stats sum(b) as bytes by idx
| eval gb=round(bytes/1024/1024/1024,3)

 Run that over the time range you want

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...