Solved: How to search for all Indexes and sort by amount i...

shandman · ‎07-11-2017

I'm trying to write a search where I can list all indexes in our Splunk environment, and ingestion rate per day. i.e. license usage.

cpetterborg · ‎07-11-2017

I have a "chargeback" dashboard that does this. We do it by index (sometimes combining a couple of them per customer), but I think it is what you want. You should be able to do something like this:

index=_internal source=*license_usage.log type="Usage" | stats sum(b) as b by idx | eval GB=(b/1024/1024/1024) | sort -GB | fields - b

View solution in original post

shandman · ‎07-11-2017

This is perfect! Thank you! I just need to get results back from the search now... ideas?

cpetterborg · ‎07-11-2017

I have a "chargeback" dashboard that does this. We do it by index (sometimes combining a couple of them per customer), but I think it is what you want. You should be able to do something like this:

index=_internal source=*license_usage.log type="Usage" | stats sum(b) as b by idx | eval GB=(b/1024/1024/1024) | sort -GB | fields - b

How to search for all Indexes and sort by amount indexed per day / license ?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!