Community:Search Report: How To Create a Chart of Hourly and Accumulated Index Volume

From Splunk Wiki

Jump to: navigation, search

How To Create a Chart of Hourly and Accumulated Index Volume

This is an example search to create a chart of Hourly Index Volume and Accumulated Daily Index Volume
You can make use of this search to create an alert when the daily index volume reach over 80% of your license or pool volume.

index=_internal group="per_index_thruput" earliest=@d latest=@h
   | eval mb=kb/1024
   | timechart span=1h sum(mb) as HourlyTotal by series
   | addtotals fieldname=HourlyTotal
   | streamstats sum(HourlyTotal) AS AccumulatedTOTAL

Visually the chart might be confusing because the Accumulated volume might be quite larger than each index.

The keys of this search are;

    1. "addtotals" to add the total of the values in the each record; HourlyTotal
    2. "streamstats" to add each record's total, HourlyTotal, up record by record.


Here is the sample result and the cart;
Chart TodaysIndexedVolume4.1.png


Here is another example using 4.2 license_usage.log which is available only in the License Master.

index=_internal source="*license_usage.log*" earliest=@d 
   | timechart span=1h sum(b) AS B by i 
   | addtotals 
   | streamstats sum(Total)

Chart TodaysIndexedVolume4.2.png Table TodaysIndexedVolume4.2.png

Lastly how can we use MB unit instead of Byte unit, and round to 2 digit floating point? Try it!

Retrieved from "https://wiki.splunk.com/index.php?title=Community:Search_Report:_How_To_Create_a_Chart_of_Hourly_and_Accumulated_Index_Volume&oldid=54901"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk