Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I find out how much volume hosts are sending to my "main" index?

johnblakley
Explorer
‎09-27-2017 08:43 AM

I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and I'm not seeing the hosts that I need. If I search a specific host under main index, the host is there and actively sending data to the indexer. I've tried modifying the search from index="_internal" to index="main", and it doesn't report anything back

From:

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

To:

index="main" source="WMI:WinEventLog:Security" | chart sum(kb) by series | sort - sum(kb)

But, with only:

index="main" source="WMI:WinEventLog:Security"

Brings back 2710 results from today.

I have hosts that are sending to this index, and I need to be able to tell how much data they're sending, but the internal index isn't showing them for some reason....

0 Karma
Reply

sbbadri
Motivator
‎09-27-2017 09:47 AM

@johnblakley

Please try with below query,

index=_internal source=*license_usage.log type="Usage" earliest=-30d@d latest=@d | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval idx=main | bin _time span=1d | eval b=b/1024/1024/1024 | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | addtotals | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d latest=@d | bin _time span=1d | stats latest(stacksz) AS "stack_size" by _time] | eval stack_size = round(stack_size/1024/1024/1024,5)

There is one app in splunkbase named meta woot. It will give some more capabilities.

https://splunkbase.splunk.com/app/2949/

0 Karma
Reply

johnblakley
Explorer
‎09-27-2017 11:29 AM

Your search didn't work. It resulted in nothing found. Metawoot doesn't find anything and it doesn't seem like I can change the index to anything but "All".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...