Splunk Dev

Search for the volume of data ingested into a specific index in MB

rleadingham
Engager

I have spent hours today researching and testing all sort of searches and I just cannot figure out how to find the information I want. I would have thought it would have been straight forward to find the total volume of data sent to a specific index in MB.

I have came close but only by experimenting with many examples I found on the site.

Any advice would be very much appreciated.

Thank you!

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this (gives the amount of license used for indexes)

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
| stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3)

View solution in original post

woodcock
Esteemed Legend
0 Karma

somesoni2
Revered Legend

Try this (gives the amount of license used for indexes)

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
| stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3)

splunkdevabhi
Explorer

How to check the daily indexing in such cases ? Would adding span=1d and a timechart help?

0 Karma

somesoni2
Revered Legend

If you want overall, then you can use this timechart version

index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
 | timechart span=1d sum(b) as usage_mb| eval usage_mb=round(usage_mb/1024/1024,3)

For per index, you can use this

  index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
     | timechart span=1d sum(b) as usage by idx limit=0 | foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]

OR

 index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
     | bucket span=1d _time | stats sum(b) as bytes by _time idx | eval mb=round(bytes/1024/1024,3)
0 Karma

rleadingham
Engager

This is absolutely perfect thank you very much. I have what I am looking for and I have learnt more about how to query in Splunk!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...