Reporting

How can I statistic daily indexed log size

Explorer

I use Splunk to index the log files from several server, today I have to report the indexed log size everyday as a chart, data is only 1 week for reporting.

Anyone has idea for creating a query and make a chart

Tags (3)
0 Karma

Contributor

You can reference to default alerts in Splunk.

http://(your_server):8000/en-US/app/search/reports
Click "License Usage Data Cube"

0 Karma

SplunkTrust
SplunkTrust
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series

Will return data indexing informations

0 Karma

Explorer

Thank @guilmxm, however there are no results found with group per_index_thruput

0 Karma

SplunkTrust
SplunkTrust

I'm sorry i think i misunderstood your question, as you seem to want to chart an indexed log file and not the index itself.

You could create a simple shell script that will output time, logfile name, and size, (script input) and index where you want, and then generates charts as you need

0 Karma

Explorer

Thanks for your answer, I'm using Splunk 6, I see there is a feature named 'licenseusage' however the page was rendering with js. So I have to query for the information.

0 Karma

SplunkTrust
SplunkTrust

Hi,

You can use the following request to get the current index size (size in MB):

| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) | fields index, size_MB

At this point, you can schedule a savedsearch that will populates a summary index including a _time data extracted from the search time itself:

| eventcount summarize=false report_size=true index=*
| addinfo
| eval _time=info_search_time
| eval size_MB = round(size_bytes/1024/1024,2)
| fields _time,index,size_MB

And then finally generates chart based on this summary index.

0 Karma