|
What's a search I can run to quickly see my daily license usage in GB? |
This search is included in the Search App's set of bundled indexing-related searches as of version 4.1.4. |
|
Also, you can find on SplunkBase the Splunk License Usage Apps. In addition to the daily license usage, this Splunk Apps provides a dashboard of your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from. |
|
This has been answered several times, but here are searches I use. daily total by GB: highest-usage indexes: |
|
A simple way to do this, adapting @wolverine's search above: This will provide a table of usage over time, broken out in a table by date |
|
Similar to Tedder's, here are the searches I always use to see a nice graphical view of indexing in Advanced Charting view, last 24 hours: Today's indexing by sourcetype: Today's indexing by index: If certain sourcetypes/indexes are too big, you can use the Y axis log-scale option, or exclude them, such as Today's non-internal indexing by sourcetype: |
|
Beware, in 4.2 and in 4.3, the license metrics log files format changed. please update your searches according to this guide : http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume |
