Monitoring Splunk

How to get usage of a particular index or query usage?

splunkuseradmin
Path Finder

Hey all,
was wondering if there is way to find out usage of perticular index I have a query which gives some numbers i belive it is in kb's so i devided with 1048576 to get in GB's.
but is there any other ways to get more accurate data or some other ways so we can keep eyes on index=test usage data by user or by day something like that.

index=test | eval length = length(_raw)/ 1048576  | timechart span=1d sum(length) as Length

I have also been trying with below query but there is no data I get.

index=test source=*license_usage.log* type=Usage 

thanks

0 Karma

jazzypai
Path Finder

You can navigate to the Monitoring Console and view indexes with amount of data over time. It uses "index=_internal source=license_usage.log type=Usage" by default.

If you're searching "index=test source=license_usage.log type=Usage" then you will not be able to find license_usage.log because they are in index=_internal.

0 Karma

splunkuseradmin
Path Finder

I was looking to find out details for index=test

how much data is written on index ?
how often index=test is used in search queries?

0 Karma

splunkuseradmin
Path Finder

any suggestions

0 Karma

jazzypai
Path Finder

For how much data is written on index, you could view it through the gui by going to Settings > Indexes and viewing the summary of the index. If you need more granular let me know but I don't have access to verify searches right now.

This link provides a search which uses the _audit index to view what users are doing. Again, I can't verify right now but if you follow the advice you should be able to get retrieve all the events which include search queries. You would then need to search for "index=test" within those results and do a stats count. Please take a look and report back.

https://answers.splunk.com/answers/149332/how-to-view-the-list-of-search-queries-run-for-a-given-tim...

0 Karma

splunkuseradmin
Path Finder

I wanted to see how usage looks like.
ex.. if we doing 30% of data in index or calculation of all events and space using or may be how it runs month to date and shows usage looks like.

0 Karma

splunkuseradmin
Path Finder

i have poweruser roles not the admin roles and if i try doing search with index=test

"index=test action=search" nuthing shows up it looks like no action field available for every index ??

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you trying to find out how much data is written to index=test or how often 'index=test' is used in a search query?

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunkuseradmin
Path Finder

yes exactly both

0 Karma

splunkuseradmin
Path Finder

any suggestions

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...