Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get usage of a particular index or query usage?

splunkuseradmin
Path Finder
‎06-11-2019 12:44 PM

Hey all,
was wondering if there is way to find out usage of perticular index I have a query which gives some numbers i belive it is in kb's so i devided with 1048576 to get in GB's.
but is there any other ways to get more accurate data or some other ways so we can keep eyes on index=test usage data by user or by day something like that.

index=test | eval length = length(_raw)/ 1048576  | timechart span=1d sum(length) as Length

I have also been trying with below query but there is no data I get.

index=test source=*license_usage.log* type=Usage

thanks

0 Karma
Reply

jazzypai
Path Finder
‎06-11-2019 01:04 PM

You can navigate to the Monitoring Console and view indexes with amount of data over time. It uses "index=_internal source=license_usage.log type=Usage" by default.

If you're searching "index=test source=license_usage.log type=Usage" then you will not be able to find license_usage.log because they are in index=_internal.

0 Karma
Reply

splunkuseradmin
Path Finder
‎06-11-2019 01:10 PM

I was looking to find out details for index=test

how much data is written on index ?
how often index=test is used in search queries?

0 Karma
Reply

splunkuseradmin
Path Finder
‎06-12-2019 11:31 AM

any suggestions

0 Karma
Reply

jazzypai
Path Finder
‎06-12-2019 12:07 PM

For how much data is written on index, you could view it through the gui by going to Settings > Indexes and viewing the summary of the index. If you need more granular let me know but I don't have access to verify searches right now.

This link provides a search which uses the _audit index to view what users are doing. Again, I can't verify right now but if you follow the advice you should be able to get retrieve all the events which include search queries. You would then need to search for "index=test" within those results and do a stats count. Please take a look and report back.

https://answers.splunk.com/answers/149332/how-to-view-the-list-of-search-queries-run-for-a-given-tim...

0 Karma
Reply

splunkuseradmin
Path Finder
‎06-12-2019 01:19 PM

I wanted to see how usage looks like.
ex.. if we doing 30% of data in index or calculation of all events and space using or may be how it runs month to date and shows usage looks like.

0 Karma
Reply

splunkuseradmin
Path Finder
‎06-12-2019 01:21 PM

i have poweruser roles not the admin roles and if i try doing search with index=test

"index=test action=search" nuthing shows up it looks like no action field available for every index ??

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-11-2019 12:58 PM

Are you trying to find out how much data is written to index=test or how often 'index=test' is used in a search query?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunkuseradmin
Path Finder
‎06-11-2019 01:07 PM

yes exactly both

0 Karma
Reply

splunkuseradmin
Path Finder
‎06-12-2019 11:15 AM

any suggestions

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...