Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: How can I statistic daily indexed log size
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I statistic daily indexed log size
I use Splunk to index the log files from several server, today I have to report the indexed log size everyday as a chart, data is only 1 week for reporting.
Anyone has idea for creating a query and make a chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can reference to default alerts in Splunk.
http://(your_server):8000/en-US/app/search/reports
Click "License Usage Data Cube"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series
Will return data indexing informations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank @guilmxm, however there are no results found with group per_index_thruput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry i think i misunderstood your question, as you seem to want to chart an indexed log file and not the index itself.
You could create a simple shell script that will output time, logfile name, and size, (script input) and index where you want, and then generates charts as you need
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer, I'm using Splunk 6, I see there is a feature named 'licenseusage' however the page was rendering with js. So I have to query for the information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can use the following request to get the current index size (size in MB):
| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) | fields index, size_MB
At this point, you can schedule a savedsearch that will populates a summary index including a _time data extracted from the search time itself:
| eventcount summarize=false report_size=true index=*
| addinfo
| eval _time=info_search_time
| eval size_MB = round(size_bytes/1024/1024,2)
| fields _time,index,size_MB
And then finally generates chart based on this summary index.
New Release | Splunk Cloud Platform 10.1.2507
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
Splunk New Course Releases for a Changing World
