Refine your search:

How do I determine my indexing volume by host, source, or sourcetype?

4
2

I need to know the breakdown of my license consumption on a per host, per source, and per sourcetype basis. What is the search to do this?

asked 16 Jan '10, 01:08

matt's gravatar image

matt ♦♦
3.1k2427
accept rate: 82%

2 Answers:
oldestnewestmost voted
6

per host:

index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)

per source:

index="_internal" source="*metrics.log" group="per_source_thruput" | chart sum(kb) by series | sort - sum(kb)

per sourcetype:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | chart sum(kb) by series | sort - sum(kb)
link

answered 17 Jan '10, 11:39

ziegfried's gravatar image

ziegfried ♦
7.1k1315
accept rate: 52%

While the above search will work for most cases, only the top 10 values over 30 second periods are indexed by default. For this reason, you may not see low volume hosts populating the search results. You can increase the number of data points for the metrics.log file by editing the samples taken within limits.conf. See the following link and look for "metrics":

http://www.splunk.com/base/Documentation/latest/Admin/Limitsconf

(16 Apr '10, 17:45) Simeon ♦

Also see the following:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

(16 Apr '10, 19:35) Simeon ♦
3

In the search app that Splunk ships with, under 'Status', there is a view called 'Indexing volume'. Go there and you'll see that it offers precisely this -- you can see your indexing volume broken down over time by source, by sourcetype, by host or by index.

Some raw searches themselves are posted in another answer but you'll probably find the custom view the most useful.

link

answered 29 Dec '10, 18:46

nick's gravatar image

nick ♦
14.2k1318
accept rate: 47%

Post your answer
toggle preview

Copyright © 2005-2012 Splunk, Inc. All rights reserved.