Splunk Search

How to edit my search to track the amount of data being ingested to a specific index, measured in MB/per minute?

dsofoulis
Path Finder

I'm trying to write a search to track the amount of data being ingested to a specific index, measured in MB/per minute.
This is what I have so far:

index=my_index_name metrics name=index_thruput sourcetype=splunkd | timechart span=1m sum(eval(kb/1024)) as "MB/min"
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

That metric will give you the total indexing thruput, not the per-index thruput. You'll want something like this:

  index=_internal sourcetype=splunkd source=*metrics.log* group=per_index_thruput series=_internal
| timechart per_minute(kb) as kbpm | eval mbpm = kbpm/1024 | fields - kbpm

That gives you the MB/min thruput for the _internal index, swap the series value as you wish.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

That metric will give you the total indexing thruput, not the per-index thruput. You'll want something like this:

  index=_internal sourcetype=splunkd source=*metrics.log* group=per_index_thruput series=_internal
| timechart per_minute(kb) as kbpm | eval mbpm = kbpm/1024 | fields - kbpm

That gives you the MB/min thruput for the _internal index, swap the series value as you wish.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...