Monitoring Splunk

How can we measure two removed monitored files?

ddrillic
Ultra Champion

A customer asked to remove two monitored files, which I did today.

They asked -

-- Is there a way we can get the exact difference in data per file to see exactly how much reduction this change will result in? Is there a way to combine the information in index=_internal and the |metadata logs?

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Because this is a one-off, you can do something like this (with All time for Timepicker😞

index=foo sourcetype=bar
| eval bytes=len(_raw)
| stats sum(bytes) AS bytes BY source

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You're looking for reduction of license usage OR event count? You get license usage by source, so you can look at previous usage for those files to see how much you've reduced.

ddrillic
Ultra Champion

It's interesting @somesoni2 as I refound your response at License usage for one index broken down by sourcetype

0 Karma

woodcock
Esteemed Legend

Because this is a one-off, you can do something like this (with All time for Timepicker😞

index=foo sourcetype=bar
| eval bytes=len(_raw)
| stats sum(bytes) AS bytes BY source

ddrillic
Ultra Champion

This is gorgeous @woodcock !!!

Quick question - our developer came up with the following query -

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=<index name> 
| stats sum(b) as usage by idx st 
| eval usage_MB=round(usage/1024/1024,3) 
| eventstats sum(usage_MB) as totalMB 
| eval perc=usage_MB/totalMB

Can we achieve these results without using the eventstats command?

0 Karma

woodcock
Esteemed Legend

This command is quicker and should give approximately the same result as my solution. If you do not care about breaking out by sourcetype, you can do something like this (without the eventstats😞

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=<index name> 
| stats sum(b) AS usage values(st) AS st BY idx
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...