Splunk Search

How to build a search that will provide metrics for peered data?

bluemarvel
Path Finder

I need a search query to provide amount of data by volume as well as by host

0 Karma

bluemarvel
Path Finder

ok, so figured out what is suppose to look like it,

the query is suppose give the data volume over a course of a week. (total)

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@bluemarvel - Did you figure out a working solution to your question? If yes, please post the full search so that others will know what you did. And then please click "Accept" to close out this question.

0 Karma

bluemarvel
Path Finder

The amount of data indexed total and/or in the last 24 hours

i already have this for one part of our network, so i'm good there :"index=_internal sourcetype=splunkd source=*license_usage.log type=usage | stats sum(b) as usage by idx | rename idx as index_name | eval usage_gb=round(usage/1024/1024/1024,3)"

0 Karma

bluemarvel
Path Finder

thanks for the input, much appreciated

I have several peered splunk_servers in which I am trying to calculate the amount of data by (volume)

I.E. index=_internal { list of 20 splunk_servers} ........volume by index

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Amount of data (total) in Index OR amount of data ingested for a give time range?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't I still fully understand the requirement here. Here are some queries that might be useful.

Total volume of index.

| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title | rename title as index_name

Total volume of index by Indexer

| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title splunk_server | rename title as index_name splunk_server as indexer_name

Daily License volumes for index ( run from License Master)

index=_internal sourcetype=splunkd source=*license_usage.log type=usage | stats sum(b) as usage by idx | rename idx as index_name | eval usage_gb=round(usage/1024/1024/1024,3)
0 Karma

bluemarvel
Path Finder

volume by index

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you looking for size of an index by different disk volume and Indexers?

0 Karma

cmerriman
Super Champion

without knowing field names or anything:

index=y |stats count by volume hostId

more details would be more helpful if this is not what you're looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...