Solved: How to edit my search to track the amount of data ...

dsofoulis · ‎10-28-2016

I'm trying to write a search to track the amount of data being ingested to a specific index, measured in MB/per minute.
This is what I have so far:

index=my_index_name metrics name=index_thruput sourcetype=splunkd | timechart span=1m sum(eval(kb/1024)) as "MB/min"

martin_mueller · ‎10-29-2016

That metric will give you the total indexing thruput, not the per-index thruput. You'll want something like this:

  index=_internal sourcetype=splunkd source=*metrics.log* group=per_index_thruput series=_internal
| timechart per_minute(kb) as kbpm | eval mbpm = kbpm/1024 | fields - kbpm

That gives you the MB/min thruput for the _internal index, swap the series value as you wish.

View solution in original post

martin_mueller · ‎10-29-2016

That metric will give you the total indexing thruput, not the per-index thruput. You'll want something like this:

  index=_internal sourcetype=splunkd source=*metrics.log* group=per_index_thruput series=_internal
| timechart per_minute(kb) as kbpm | eval mbpm = kbpm/1024 | fields - kbpm

That gives you the MB/min thruput for the _internal index, swap the series value as you wish.

How to edit my search to track the amount of data being ingested to a specific index, measured in MB/per minute?

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor