Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for daily indexing rate per sourcetype and list the specific indexes

mpham07
Path Finder
‎08-08-2019 07:19 AM

Hello all,

I just came onto a new job and we're trying to figure out the daily indexing rate broken down by sourcetypes. Then we're going to get the average for X days. Is there another search that can list the throughput of each sourcetype within an index? I like the search below for per_sourcetype_thruput, but it doesn't list the indexes. I tried looking at the per_index_thruput to figure it out too but am now stuck trying to see if there are other commands out there that can help. 

 index=_internal component=Metrics per_sourcetype_thruput
 | eval mb=kb/1024 
 | timechart span=1d sum(mb) by series useother=f limit=150

 index=_internal component=Metrics per_index_thruput
 | eval mb=(kb/1024) 
 | timechart span=1d sum(mb) by series useother=f limit=100

Thank you for your time, take care.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-08-2019 10:02 PM

try this? This gives volume usage stats for the index and sourcetype on daily basis

index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday

View solution in original post

Reply
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-08-2019 10:02 PM

try this? This gives volume usage stats for the index and sourcetype on daily basis

index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday
Reply
Solved! Jump to solution

mpham07
Path Finder
‎08-09-2019 10:38 AM

Thank you nareshinsvu! It worked perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...