Reporting

How can I statistic daily indexed log size

ndkhoiits
Explorer

I use Splunk to index the log files from several server, today I have to report the indexed log size everyday as a chart, data is only 1 week for reporting.

Anyone has idea for creating a query and make a chart

Tags (3)
0 Karma

sunrise
Contributor

You can reference to default alerts in Splunk.

http://(your_server):8000/en-US/app/search/reports
Click "License Usage Data Cube"

0 Karma

guilmxm
Influencer
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series

Will return data indexing informations

0 Karma

ndkhoiits
Explorer

Thank @guilmxm, however there are no results found with group per_index_thruput

0 Karma

guilmxm
Influencer

I'm sorry i think i misunderstood your question, as you seem to want to chart an indexed log file and not the index itself.

You could create a simple shell script that will output time, logfile name, and size, (script input) and index where you want, and then generates charts as you need

0 Karma

ndkhoiits
Explorer

Thanks for your answer, I'm using Splunk 6, I see there is a feature named 'licenseusage' however the page was rendering with js. So I have to query for the information.

0 Karma

guilmxm
Influencer

Hi,

You can use the following request to get the current index size (size in MB):

| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) | fields index, size_MB

At this point, you can schedule a savedsearch that will populates a summary index including a _time data extracted from the search time itself:

| eventcount summarize=false report_size=true index=*
| addinfo
| eval _time=info_search_time
| eval size_MB = round(size_bytes/1024/1024,2)
| fields _time,index,size_MB

And then finally generates chart based on this summary index.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...