- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- How to find out the GB/Day of data ingestion not u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I've been trying to piece together a query that a power user could run that could report the GB/Day of data indexed for a particular index without having to access the license usage data (which a power user wouldn't have access to).
I've been trying to leverage the dashboards in the Monitoring app but nothing seems to be quite what I need. I'd like to get the deployment wide GB/day indexed for a single index which seems easy but so far I haven't been able to crack it.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)"
OR
Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.
The last option would be easy to manage and suggested.
Please accept the answer if that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me check that out and I will mark it gratefully. 😀
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)"
OR
Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.
The last option would be easy to manage and suggested.
Please accept the answer if that helps!
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
