Splunk Search

largest single day result in a 90 day period

sdewar83
Path Finder

I have a search to find total ingest into splunk, which i can run for a day or against a longer period by using the time picker. If you run it against a 24 hour period it tells you how much raw data has been ingested into splunk in 24 hours. It works well. Management have asked to find what was the largest single day ingest in a 90 day period.

How would i go about editing my search to display this?

The base search is:

index=* OR index=_*
| fields sourcetype, _raw
|eval size=len(_raw)
|stats sum (size) as size
| eval size=round(size/1024/1024,2)

I tried editing it to this and it seems to work but i'm not sure ther esult i'm seeing is what i hope it is haha

index=* OR index=_*
| fields sourcetype, _raw
| eval size=len(_raw)
| stats sum (size) as size
| eval size=round(size/1024/1024,2)
| bucket _time span=1d
| stats max(size) as MaxSingleDayIngest

Can someone give me a sanity check please? I feel like the result i'm getting is too large to be correct. 🙂

Cheers!

0 Karma
1 Solution

sdewar83
Path Finder

OK, I think i worked it out now.

index=* OR index=_*
| bin _time span=1d
| fields sourcetype, _raw
| eval size=len(_raw)
| stats sum (size) as size
| eval size=round(size/1024/1024,2)
|stats sum(size) by _time

Gives me the total ingested for the time period i searched for and then breaks it down by day. Also plots it nicely on a line graph.

Might rename the fields so it labels them nicely but this works for now!

View solution in original post

0 Karma

sdewar83
Path Finder

OK, I think i worked it out now.

index=* OR index=_*
| bin _time span=1d
| fields sourcetype, _raw
| eval size=len(_raw)
| stats sum (size) as size
| eval size=round(size/1024/1024,2)
|stats sum(size) by _time

Gives me the total ingested for the time period i searched for and then breaks it down by day. Also plots it nicely on a line graph.

Might rename the fields so it labels them nicely but this works for now!

0 Karma

skrajkumar_splu
Splunk Employee
Splunk Employee

You can use licenseusage.log file to get your ingestion amount. Kindly try the below query that could give you the date in which maximum data was ingested in specified timeframe.

index=_internal source="license_usage.log" type=Usage | bin span=1d _time | stats sum(eval(b/1024/1024/1024)) AS volume by _time| sort- volume| head 1

Hope this helps

0 Karma

sdewar83
Path Finder

Yeah i've confirmed that its just giving me the total ingestion over the time period. I'm really trying to sort the raw data into 1day buckets and then display the largest bucket. if that makes sense.

Hopefully someone can assist! 🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...