Top 3 Splunk searches to better understand your daily usage

Diagnosing your data usage

It is important to understand what inputs, departments or indexes are using what amount of data so that you can plan accordingly and stay within your daily license limit.

Indexed data by sourcetype

index=*

| fields _raw, _time, sourcetype

| eval evt_bytes = len(_raw)

| timechart span=1d sum(eval(evt_bytes/1024/1024)) AS TotalMB by sourcetype

 

Index data by source

index=*

| fields _raw, _time, source

| eval evt_bytes = len(_raw)

| timechart span=1d sum(eval(evt_bytes/1024/1024)) AS TotalMB by source

(eval(round(b/1024/1024,4))) AS Total_MB by index_name

 

Indexed data by index

index=_internal source=*license_usage.log type=Usage

| fields idx, b

| rename idx as index_name

| timechart span=1d limit=20 sum(eval(round(b/1024/1024,4))) AS Total_MB by index_name