Differences

This shows you the differences between two versions of the page.

--- splunk-queries [2024/03/15 11:55] – [Count Events per Index] baumi
+++ splunk-queries [2024/10/15 05:26] (current) – baumi
@@ Line 1: / Line 1: @@
-===== Splunk Queries =====
+====== Splunk Queries ======
+===== Indexes & Events =====
 ==== List Indexes ====
 <code>
-| eventcount summarize=false index=* | dedup index | fields index
+| eventcount summarize=false index=*
+| dedup index
+| fields index
 </code>
 ==== Count Events per Index ====
@@ Line 15: / Line 19: @@
 ==== Events per Host / Index / Sourcetype ====
 <code>
-| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host | table * | sort by index
+| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host
+| table *
+| sort by index
 </code>
@@ Line 27: / Line 33: @@
 <code>
 index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
-     | timechart span=1d sum(b) as usage by idx limit=0 | foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
+| timechart span=1d sum(b) as usage by idx limit=0
+| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
 </code>
+==== Total Ingestion ====
+<code>
+index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
+| timechart span=1d sum(b) as usage
+| eval gb=round(usage/1073741824,3)
+| table _time, gb
+</code>
+===== Lookups & Macros =====
 ==== Export Lookup file ====