Until we hit release, things are still moving around a little bit. That said, this will give you a good idea of how much data is being generated by the app (run a 24-hour search to gauge license impact):

`idx-ucs-all` | eval esize=len(_raw) | stats count(sourcetype) as count, avg(esize) as avgEventSize by sourcetype | eval TotalMBytes=round(count*avgEventSize/1048576,2)

Or if you want to see it for a single UCS domain:

`idx-ucs-all` ucs={UCS MANAGER NAME} OR host={MANAGER SYSLOG SOURCE IP} | eval esize=len(_raw) | stats count(sourcetype) as count, avg(esize) as avgEventSize by sourcetype | eval TotalMBytes=round(count*avgEventSize/1048576,2)

What you'll see is a list, by sourcetype, of how much data is in Splunk. In particular, look at the sourcetype "ciscoucs:ucsm:perf", which is your performance data. That is always going to be the lion's share of the data given what it is and how frequently it is collected. By default, as of this writing, it's collected every five minutes, but that can be changed, so bear that in mind.

Also bear in mind that this is by MANAGER, not by SERVER. You can certainly work up a search that would break your data down by other criteria, but I felt that manager was a good first place to start. Even so, one shop is going to have 10 blades per pod, and another will have 20 or 40, so I expect to need to refine the formula to come up with something that gets a more consistent answer.

P.S. My single manager, double-chassis lab environment generates less than 60 MB of data a day. I don't yet have a good feel for what happens in production environments, but these measurements are coming.

HTH

Hal Rottenberg, Product Manager for the Splunk App for Cisco UCS