How to check my indexing volume exceeded and whic...

arulnight · ‎10-25-2019

Hi All

How to check my indexing volume exceeded and try to find out which server getting lots of data?
can anyone help me out?

saramamurthy_sp · ‎10-28-2019

You must have a Monitoring console as it becomes handy and also to get the complete information about you enviornment.
You can monitor a lot of aspect of your enviornment. The dashoboard will give you the complete insight of your indexing performances.

The dash board will give you plenty of information about your indexes and volumes such as:

Disk usage by index

Volume usage

Index and volume size over time

Data age

Statistics for bucket types

Bucket settings

And viewing this dashboard will give you all the requred information. I would suggest you to read the below document.

DOC: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Viewindexstatus

woodcock · ‎10-25-2019

There are several views for this kind of thing on the Monitoring Console but if you don't have one or are not allowed on to it, you can try these:

| tstats count WHERE index=* BY host

And:

| tstats count WHERE index=* BY host _time span=1h | timechart span=1h sum(count) AS count BY host

And:

index=* | eval bytes=len(_raw) | stats sum(bytes) AS bytes BY host

And:

index=* | eval bytes=len(_raw) | timechart span=1 sum(bytes) AS bytes BY host

How to check my indexing volume exceeded and which server to get lots of data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life