Solved: Daily Ingest per index for last 7 days

Splunkerninja

Hi , I came across many queries to calculate daily ingest per index for last 7 days but I am not getting the expected results.

Can you please guide me with the query to calculate the daily ingest per index in GB for last 7 days?

scelikok

Hi @Splunkerninja,

You can use below query;

index=_internal source=*license_usage.log* type="Usage" 
| timechart span=1d eval(round(sum(b)/1024/1024/1024,3)) as GB by idx

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok

Hi @Splunkerninja,

You can use below query;

index=_internal source=*license_usage.log* type="Usage" 
| timechart span=1d eval(round(sum(b)/1024/1024/1024,3)) as GB by idx

If this reply helps you an upvote and "Accept as Solution" is appreciated.

gcusello

Hi @Splunkerninja,

do you want to calcuate the icense consuption or the number of events per index and per day?

In the first case see at [Settings > License > License Consuption past 60 days > by Index], or run this:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

In the second case, you could try something ike this:

index=*
| bin span=1d _time
| chart count OVER index BY _time

Ciao.

Giuseppe

Splunkerninja

The first query is not giving me any results. Even i replaced the macro with actualy query it gives zero result.

I basically want the total of daily ingest of each index over 7 days

index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [ search index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <>=round('<>'/1024/1024/1024, 3)]

gcusello

Hi @Splunkerninja ,

does the search in [Settings > License > License Consuption > last 60 days > divided by index] run?

I only copied this search.

Ciao.

Giuseppe

Splunkerninja

@gcusello @bowesmana We are on splunk cloud and we use workload based management for licenseing i.e SVC . So the query which you are giving is not giving aggregate daily ingest per index for last 7 days

bowesmana

so what did you try and what gave you the wrong results

This is the basic search

index=_internal source=/opt/splunk/var/log/splunk/license_usage.log idx=* st=*
| stats sum(b) as bytes by idx
| eval gb=round(bytes/1024/1024/1024,3)

Run that over the time range you want

Daily Ingest per index for last 7 days

indexer

indexer clustering

license usage

monitoring console

proactive Splunk component monitoring

resource usage

search head

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?