Splunk search for Checking how much of a sourcetype has been ingested

Copy
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval GB=kb/1024/1024 | chart sum(GB) as "GB Ingested" avg(eps) as "Events per Second" over series | eval "GB Ingested"=round('GB Ingested',4), "Events per Second"=round('Events per Second',4) | rename series as Log
This Splunk search will show the amount of data that has been ingested from each sourcetype. The output will be in the form of GB ingested and Events per Second per sourcetype. This can be helpful to identify sourcetypes that are using a large portion of your daily licensing volume.
0 comments

Category:

General Splunk


Tags:

Admin general internal data ingestion

Search Commands:

Sign in or Register to submit a comment