Splunk Search
Highlighted

How to build a search that will provide metrics for peered data?

Path Finder

I need a search query to provide amount of data by volume as well as by host

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Super Champion

without knowing field names or anything:

index=y |stats count by volume hostId

more details would be more helpful if this is not what you're looking for.

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

SplunkTrust
SplunkTrust

Are you looking for size of an index by different disk volume and Indexers?

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Path Finder

volume by index

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

SplunkTrust
SplunkTrust

I don't I still fully understand the requirement here. Here are some queries that might be useful.

Total volume of index.

| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title | rename title as index_name

Total volume of index by Indexer

| rest /services/data/indexes | stats sum(currentDBSizeMB) as totalSizeMB by title splunk_server | rename title as index_name splunk_server as indexer_name

Daily License volumes for index ( run from License Master)

index=_internal sourcetype=splunkd source=*license_usage.log type=usage | stats sum(b) as usage by idx | rename idx as index_name | eval usage_gb=round(usage/1024/1024/1024,3)
0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Path Finder

thanks for the input, much appreciated

I have several peered splunk_servers in which I am trying to calculate the amount of data by (volume)

I.E. index=internal { list of 20 splunkservers} ........volume by index

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

SplunkTrust
SplunkTrust

Amount of data (total) in Index OR amount of data ingested for a give time range?

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Path Finder

The amount of data indexed total and/or in the last 24 hours

i already have this for one part of our network, so i'm good there :"index=_internal sourcetype=splunkd source=licenseusage.log type=usage | stats sum(b) as usage by idx | rename idx as indexname | eval usage_gb=round(usage/1024/1024/1024,3)"*

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Path Finder

ok, so figured out what is suppose to look like it,

the query is suppose give the data volume over a course of a week. (total)

0 Karma
Highlighted

Re: How to build a search that will provide metrics for peered data?

Splunk Employee
Splunk Employee

@bluemarvel - Did you figure out a working solution to your question? If yes, please post the full search so that others will know what you did. And then please click "Accept" to close out this question.

0 Karma