Splunk Search

How to check total logs size in MB being sent by a host


Hey Guys,

Our Netflow monitoring system shows that most of the bandwidth is being consumed by port 9997 coming from a remote site with Splunk Forwarder and Head Office with Splunk Indexer.

What is the correct and accurate search query to for getting the total log size (in MB) being sent by a host to the Splunk Indexer?

In Splunkweb, what is the search query to drill down the top log sources (in MB) in a 1 week period?


Tags (1)
0 Karma


Definitely support using the Deployment Monitor ... I've also written a short blog post where I extracted a lot of the queries so you can individually schedule or run them and alert as needed... see it here:


0 Karma


hi splunktp

here are two examples how you could get how much was transfered.
if your universal forwarder and forwarder also forward internal logs, you can list the total size of all internal logs transfered for each log file with this command

index=_internal source=*metrics* | stats sum(kb) by series 

the second command lists the raw size of all event and sums them up for each log file

| eval raw_len=(len(_raw)/1028) | stats sum(raw_len) by source 

hope this helps



oh sorry missed the MB in your question, the examples return everything in KB 😉

0 Karma


you do /1028 in your example isn't it /1024 ? or am I missing something that Splunk does with padding?

0 Karma

Ultra Champion

I think you should look into the SplunkDeploymentMonitor, as it comes with a bunch of predefined searches that let you look up these things.


If you for some reason do not wish to do that, you can still get some information from Status -> Index Activity -> Indexing volume or more directly http(s)://your_server/en-GB/app/search/indexing_volume

There you can see the indexing broken down over host, source, sourcetype etc for an arbitrary period of time.

Hope this helps,



I downvoted this post because pretty tired of hearing "use the deployment monitor". in a distributed, scaled environment, not everyone has access to that app. This glib response is equivalent to Splunk's standard "RTFM" answer.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...