Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out the GB/Day of data ingestion not using license data query?

scottj1y
Path Finder
‎07-11-2023 10:47 AM

Hi, I've been trying to piece together a query that a power user could run that could report the GB/Day of data indexed for a particular index without having to access the license usage data (which a power user wouldn't have access to).

 

I've been trying to leverage the dashboards in the Monitoring app but nothing seems to be quite what I need.  I'd like to get the deployment wide GB/day indexed for a single index which seems easy but so far I haven't been able to crack it.

 

Any suggestions?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

meetmshah
Builder
‎07-12-2023 12:15 PM

In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)" 

OR

Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.

 

The last option would be easy to manage and suggested.

 

Please accept the answer if that helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scottj1y
Path Finder
‎07-12-2023 12:34 PM

Let me check that out and I will mark it gratefully.  😀

0 Karma
Reply
Solved! Jump to solution
Solution

meetmshah
Builder
‎07-12-2023 12:15 PM

In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)" 

OR

Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.

 

The last option would be easy to manage and suggested.

 

Please accept the answer if that helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...