I need a search query to provide amount of data by volume as well as by host
ok, so figured out what is suppose to look like it,
the query is suppose give the data volume over a course of a week. (total)
@bluemarvel - Did you figure out a working solution to your question? If yes, please post the full search so that others will know what you did. And then please click "Accept" to close out this question.
The amount of data indexed total and/or in the last 24 hours
i already have this for one part of our network, so i'm good there :"index=_internal sourcetype=splunkd source=*license_usage.log type=usage | stats sum(b) as usage by idx | rename idx as index_name | eval usage_gb=round(usage/1024/1024/1024,3)"
thanks for the input, much appreciated
I have several peered splunk_servers in which I am trying to calculate the amount of data by (volume)
I.E. index=_internal { list of 20 splunk_servers} ........volume by index
Amount of data (total) in Index OR amount of data ingested for a give time range?
I don't I still fully understand the requirement here. Here are some queries that might be useful.
Total volume of index.
| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title | rename title as index_name
Total volume of index by Indexer
| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title splunk_server | rename title as index_name splunk_server as indexer_name
Daily License volumes for index ( run from License Master)
index=_internal sourcetype=splunkd source=*license_usage.log type=usage | stats sum(b) as usage by idx | rename idx as index_name | eval usage_gb=round(usage/1024/1024/1024,3)
volume by index
Are you looking for size of an index by different disk volume and Indexers?
without knowing field names or anything:
index=y |stats count by volume hostId
more details would be more helpful if this is not what you're looking for.