How do I get a complete size of all logs ingested by Splunk Enterprise & Enterprise Security incl. Indexes. Showing indexes taking the most load?
The Monitoring Console can show which indexes are getting the most data. It will even break it out by source, sourcetype, and (IIRC) host.
Thank u again Rich. Does the sizes show are the complete ( including all logs) for the Indexes. Are there any other place I need to check to come up with complete metrics? I am doing this for sake of saving licenses going over the limit. Would you by any chance have " best practices" for trimming the license fat ? Thank u sir.
The first Best Practice is to only ingest what you need. Disable inputs for use cases you're not monitoring. Increase the input interval where possible. Be picky about which Windows events you ingest.
Trim the fat from Windows events. They all contain the same boiler-plate text at the end that serves no useful purpose. See https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorWindowseventlogdata#Suppress_... and https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-truncation-at-IDX-and-HF/m-p...