Refine your search:

Total number of indexed volume per day

0

Hi,

Currently I have a splunk server receiving logs from few servers.

I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.

This command looks good but it list individual servers and their indexed size: index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)

Thanks

asked 21 Jun '10, 08:18

apro's gravatar image

apro
995316
accept rate: 20%

2 Answers:
oldestnewestmost voted
2

You simply need to use the addtotals command:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | addtotals

link

answered 21 Jun '10, 16:45

Simeon's gravatar image

Simeon ♦
4.2k111035
accept rate: 26%

Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?

(23 Jun '10, 10:10) apro

I can help answer your question, but for sharing purposes, can you create a new question? It's a modified search and it uses additional operators.

(23 Jun '10, 15:11) Simeon ♦

Hi, have created new question here ->

http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume

thanks.

(24 Jun '10, 06:01) apro
0

Some updates,

I am scheduling this search(Daily Indexed Volume) now:

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

link

answered 25 Jun '10, 06:18

apro's gravatar image

apro
995316
accept rate: 20%

Is it because the parens in the Host(s)? Perhaps you need quotes or to escape it? I would try renaming that and give it another crack to isolate the issue.

(11 Feb, 08:47) SloshBurch
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×463
×51

Asked: 21 Jun '10, 08:18

Seen: 4,251 times

Last updated: 11 Feb, 08:47

Related questions

Total number if indexed volume for all hosts per day

Index volume by host

Splunk search command for daily indexed volume?

Log Volume Indexed.

daily indexed volume search does not report all hosts

How do I get the total number of events per day per host... Efficiently and accurately?

multiply a field value by number of distinguished hosts rather than fixed number

Index volume: hourly increase and raw volume

Index limit to specific daily volume.

Copyright © 2005-2012 Splunk Inc. All rights reserved.