Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Logs quantity

BRFZ
Communicator
‎09-13-2024 03:22 AM

Hello,

Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, broken down by host.

Best regards,

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-14-2024 02:24 AM

There are license reports mentioned by @gcusello which are quite useful. But they might contain some summarized data. You can search you raw data and calculate it manually

index=whatever
| stats sum(eval(len(_raw))) BY host

Some caveats though

1. It is slow - it must read all events and check their lengths. You can walk around this problem by creating an indexed field containing event's length.

2. It shows the size of searchable data. Won't show the data you don't have acess to (if you're searching through multiple indexes and have rights to only some of them, won't show you the size of "removed" data if someone used | delete, will be probably limited by role's search filters and so on)

3. Be cautious about _time vs. _indextime

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2024 03:47 AM

Hi @BRFZ ,

you can use the License Usage Report [Settings > Licensing > Usage Report > Previous 30 days >Split by Host] and customize it or the Monitoring Console App tha tgives the same results.

The only limit is the retention time of yur _internal data.

Ciao.

Giuseppe

Reply

BRFZ
Communicator
‎09-13-2024 05:08 AM

Hello @gcusello,

Is this not achievable via a search, please?

Best regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2024 06:38 AM

Hi @BRFZ ,

every dashboard in Splunk is a search, you can Open in Search the panel (using the button with the same name) and see how it's written to modify it, in few words, this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by h fixedrange=false  
| join type=outer _time [search 
     index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
     | eval _time=_time - 43200 
     | bin _time span=1d 
     | dedup _time stack 
     | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

Reply

dural_yyz
Motivator
‎09-13-2024 06:07 AM 
| tstats count where index=* index!=_* by host

This will only give you a count of events, there is no insight to size of storage requirements.  You can add sourcetype and/or source after the host field if you need more detailed information.

It all depends upon what your specific goals are. 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...