Solved: Search for daily indexing rate per sourcetype and ...

mpham07 · ‎08-08-2019

Hello all,

I just came onto a new job and we're trying to figure out the daily indexing rate broken down by sourcetypes. Then we're going to get the average for X days. Is there another search that can list the throughput of each sourcetype within an index? I like the search below for per_sourcetype_thruput, but it doesn't list the indexes. I tried looking at the per_index_thruput to figure it out too but am now stuck trying to see if there are other commands out there that can help.

 index=_internal component=Metrics per_sourcetype_thruput
 | eval mb=kb/1024 
 | timechart span=1d sum(mb) by series useother=f limit=150

 index=_internal component=Metrics per_index_thruput
 | eval mb=(kb/1024) 
 | timechart span=1d sum(mb) by series useother=f limit=100

Thank you for your time, take care.

nareshinsvu · ‎08-08-2019

try this? This gives volume usage stats for the index and sourcetype on daily basis

index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday

View solution in original post

nareshinsvu · ‎08-08-2019

try this? This gives volume usage stats for the index and sourcetype on daily basis

index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday

mpham07 · ‎08-09-2019

Thank you nareshinsvu! It worked perfectly.

Search for daily indexing rate per sourcetype and list the specific indexes

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform