Splunk search for Volume of Ingested Comments
Copy
[ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*
| eval gb=len(_raw)/pow(1024,3)
| timechart span=1d sum(gb)
This search will show you the amount of comments (in estimated GB/day) that you are ingesting into Splunk. This search assumes that any event beginning with # is a comment.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment