Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find number of events, size (in GB), and frequencies of ingestion?

SplunkDash
Motivator
‎02-25-2022 10:09 AM

Hello,

are there any queries we can use to find the Total Number of Events, Total Size/Volume (in GB) of Data, Frequencies of data coming into SPLUNK by index and sourcetype. Any help will be highly appreciated, thank you!

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2022 04:31 PM

In the lower-right corner of most of the MC panels you should find a magnifying glass icon.  It will only appear when your cursor is in the area.  Click the icon to open the panel in a search window.  Then you will have the query which you can modify or copy.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2022 12:36 PM

Have you looked at the Monitoring Console?  It should have most of what you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎02-25-2022 01:07 PM

Hello,

Thank you so much for your quick response, truly appreciated. Yes, I saw that,  it is in the monitor console. But, is the any way I can get same data using queries and make a report to send as a csv file. Or is there any way I can export that data as csv from monitor console. Thank you again.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2022 04:31 PM

In the lower-right corner of most of the MC panels you should find a magnifying glass icon.  It will only appear when your cursor is in the area.  Click the icon to open the panel in a search window.  Then you will have the query which you can modify or copy.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎02-26-2022 08:08 AM

Hello,

Thank you so much. Yes, it's working as expected for counting events by host/source/sourcetype. Here are the codes what I got:

Codes for counting event by host:

| metadata type=hosts index=test_prod splunk_server=<servername> datatype=event

| fields host, totalCount

| sort - totalCount

| rename host as Host, totalCount as "Event Count"

But most likely I don't have access to view/have volume/size (in MB) by host/source/sourcetype. are there any ways to tweak these above codes to get the volume/size of data (in MB). Thank you again and any help will be highly appreciated.

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎02-26-2022 04:23 PM

Hello,

Thank you so much again!  But still, I am not getting expected output from that option, however, I am getting result from this query:

index=_internal(test_prod) source=*license_usage.log type=Usage|stats sum(b) as Bytes by  idx st s h |eval MB=round(Bytes/1024/1024,3)

But, missing some of the sourcetypes, there should be 12 sourcetypes under that index, however, getting only 8 sourcetypes (using "All time") when I use this query. 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2022 07:25 AM

I'm confused by use of the term "index=_internal(test_prod)".  That doesn't look like a valid index name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎03-02-2022 07:40 AM

Hello,

index=_internal is the actual term and "test_prod" is the user defined index. So, index=_internal gives us all the index names  and info;   index=_internal(test_prod)  gives info only for test_prod. Does it make sense to you? Please feel free to let me know if you have any questions. Thank you!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2022 05:07 PM

Have you compared the sourcetypes returned by tstats with those returned by metadata?

| metadata type=sourcetypes index=*

If that finds 12 sourcetypes then we'll have pick apart the tstats query to find the problem.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-26-2022 09:51 AM

"Most likely"?  Have you tried?  If you don't have access then no tweaks to a search will get you access.

The data you seek should be available on the MC of your license manager instance. Go to Indexing->License Usage->Historic License Usage.  There are dropdowns to select the data will be grouped or you can copy the queries to customize.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...