I need to create a report that shows max indexed volume per day by month per index. The following search gives me the indexing volume per day per index. How can modify this search to get what I need?
index=_internal source=license_usage.log type=Usage | timechart span=1d sum(eval(b/1024/1024/1024)) AS volume_b by idx
index=_internal source=license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year
How do I use this query to get the data in GB in readable format?
index=_internal source=*license_usage.log type=Usage | timechart span=1d sum(eval(b/1024/1024/1024)) AS volume_b by idx
- I also want to see how much data stored in all indexers per day, per month and per year? ,what is the query i can use?
Thank you in advance
index=_internal source=license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year
index=_internal source=*license_usage.log type=Usage | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx date_mday date_month date_year | stats max(volume_b) by idx date_month date_year
help me to edit this query to get the output in GB and also calculate the total number of all index in GB?
Thank you in advance
Question: This search doesn't work, but if I switch "idx" to "i", it gives me something. Is there a switch in recent splunk versions to the internal log format? EDIT: NM, idx is new field for v6+
another query posted that doesn't work.. at least for me.. changing idx to i also gives no results found 😞
This worked for me, but I had to use source="*license_usage.log", with the asterisk wildcard for the preceding file path characters.
You rock!!
index=_internal source=license_usage.log type=Usage | eval yearmonthday=strftime(_time, "%Y%m%d") | eval yearmonth=strftime(_time, "%Y%m") | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx yearmonthday yearmonth | chart max(volume_b) over yearmonth by idx
Ok that works, but how can I get it in a more readable format?I'd like to have the indexes as columns across the top and each months values as rows. Basically, I timechart by index
Is it MB or GB ?