Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

All Index logs display by Stats by Date

mailmetoramu
Explorer
‎12-06-2021 07:05 AM

Hello All,

Need an search query where i can see all the index logs by |stats by count, date, index. Tried the below search query but it didnt helped :

index= * source=*license_usage.log type="Usage" splunk_server=* earliest=-2month@d | eval Date=strftime(_time, "%Y/%m/%d") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5) | timechart first(MB) AS volume by idx

0 Karma
Reply

mailmetoramu
Explorer
‎12-06-2021 09:16 AM

Hello Giuseppe,

Thanks for ur time on this.

Tried the query u provided, but getting "No results found. Try expanding the time range". Tried expanding time range also but no luck.

Need search query which can give a stats data like below :

 

All Index  :     Date/Time :     SourceType :   

 

Time Range will be : 1st Nov to 1st Dec 2021

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-06-2021 11:08 PM

Hi @mailmetoramu,

can you access the _internal index?

It seems that you cannot!

if you cannot, it's really difficoult to solve your need.

If yes, to debug the above query, you have to run it deleting, one by one, the search sections from the end arriving to the main search, to understand if there's a problem in the search or if you can access the data.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-06-2021 08:33 AM

Hi @mailmetoramu,

let me understand: you want a search that displays the time distribution of quantity of logs indexed in each index, is it correct?

If this is your need, you could use the search that you can find in the 60 days license consuption dashboard or in the Monitoring Console.

The only limit is the retention time of your internal logs (index=_internal) that's usually less than 60 days.

If you have the above data, you could run a search like this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx   
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=0  
| fields - _timediff  
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...