Splunk Search

How to find number of events, size (in GB), and frequencies of ingestion?

SplunkDash
Motivator

Hello,

are there any queries we can use to find the Total Number of Events, Total Size/Volume (in GB) of Data, Frequencies of data coming into SPLUNK by index and sourcetype. Any help will be highly appreciated, thank you!

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

In the lower-right corner of most of the MC panels you should find a magnifying glass icon.  It will only appear when your cursor is in the area.  Click the icon to open the panel in a search window.  Then you will have the query which you can modify or copy.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you looked at the Monitoring Console?  It should have most of what you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SplunkDash
Motivator

Hello,

Thank you so much for your quick response, truly appreciated. Yes, I saw that,  it is in the monitor console. But, is the any way I can get same data using queries and make a report to send as a csv file. Or is there any way I can export that data as csv from monitor console. Thank you again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In the lower-right corner of most of the MC panels you should find a magnifying glass icon.  It will only appear when your cursor is in the area.  Click the icon to open the panel in a search window.  Then you will have the query which you can modify or copy.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SplunkDash
Motivator

Hello,

Thank you so much. Yes, it's working as expected for counting events by host/source/sourcetype. Here are the codes what I got:

Codes for counting event by host:

| metadata type=hosts index=test_prod splunk_server=<servername> datatype=event

| fields host, totalCount

| sort - totalCount

| rename host as Host, totalCount as "Event Count"

But most likely I don't have access to view/have volume/size (in MB) by host/source/sourcetype. are there any ways to tweak these above codes to get the volume/size of data (in MB). Thank you again and any help will be highly appreciated.

0 Karma

SplunkDash
Motivator

Hello,

Thank you so much again!  But still, I am not getting expected output from that option, however, I am getting result from this query:

index=_internal(test_prod) source=*license_usage.log type=Usage|stats sum(b) as Bytes by  idx st s h |eval MB=round(Bytes/1024/1024,3)

But, missing some of the sourcetypes, there should be 12 sourcetypes under that index, however, getting only 8 sourcetypes (using "All time") when I use this query. 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm confused by use of the term "index=_internal(test_prod)".  That doesn't look like a valid index name.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SplunkDash
Motivator

Hello,

index=_internal is the actual term and "test_prod" is the user defined index. So, index=_internal gives us all the index names  and info;   index=_internal(test_prod)  gives info only for test_prod. Does it make sense to you? Please feel free to let me know if you have any questions. Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you compared the sourcetypes returned by tstats with those returned by metadata?

| metadata type=sourcetypes index=*

If that finds 12 sourcetypes then we'll have pick apart the tstats query to find the problem.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

"Most likely"?  Have you tried?  If you don't have access then no tweaks to a search will get you access.

The data you seek should be available on the MC of your license manager instance. Go to Indexing->License Usage->Historic License Usage.  There are dropdowns to select the data will be grouped or you can copy the queries to customize.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...