Splunk Search

See Gigabytes Added to Each Index in Last 24 hours

davespatz
Explorer

Issue:

Various internal groups pay for space in Splunk based on their needs. For example, dev teams paid for 40GB's for their application logs while Exchange team paid for 20GB's per day (just two examples). I need to be able to say if one team is exceeding what they paid for internally. We will only have two indexers so I can't separate by indexer so looks like I can't create license pools either by indexer (both indexers we have are used for everything).

Question:
If I just create separate indexes for each group, how can I see how much data was added to the index each day?

Tags (1)
0 Karma

masonmorales
Influencer

If you don't like the license reports that ship with Splunk, check out: https://splunkbase.splunk.com/app/2678/

0 Karma

badrinath_itrs
Communicator

Hi,

This has been answered several times, you can always take a look into the License Usage report and can also do a split based on host, source, sourcetype and index.

Here is the detailed documentation .

http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/AboutSplunksLicenseUsageReportView

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...