was wondering if there is way to find out usage of perticular index I have a query which gives some numbers i belive it is in kb's so i devided with 1048576 to get in GB's.
but is there any other ways to get more accurate data or some other ways so we can keep eyes on index=test usage data by user or by day something like that.
index=test | eval length = length(_raw)/ 1048576 | timechart span=1d sum(length) as Length
I have also been trying with below query but there is no data I get.
index=test source=*license_usage.log* type=Usage
You can navigate to the Monitoring Console and view indexes with amount of data over time. It uses "index=_internal source=license_usage.log type=Usage" by default.
If you're searching "index=test source=license_usage.log type=Usage" then you will not be able to find license_usage.log because they are in index=_internal.
For how much data is written on index, you could view it through the gui by going to Settings > Indexes and viewing the summary of the index. If you need more granular let me know but I don't have access to verify searches right now.
This link provides a search which uses the _audit index to view what users are doing. Again, I can't verify right now but if you follow the advice you should be able to get retrieve all the events which include search queries. You would then need to search for "index=test" within those results and do a stats count. Please take a look and report back.
I wanted to see how usage looks like.
ex.. if we doing 30% of data in index or calculation of all events and space using or may be how it runs month to date and shows usage looks like.
i have poweruser roles not the admin roles and if i try doing search with index=test
"index=test action=search" nuthing shows up it looks like no action field available for every index ??