This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: a lost child finds his home, a different kind of language barrier, and indexing volume is in the eye of the beholder.
At last…our ninja has come along
The infamous Wilde learns what he’s been missing:
<SPLKNinja> I’m never in IRC.. like 5 times in all my career at Splunk.. how stupid of me.. this place is great.
<SPLKNinja> i’m hooked.
Me fail English? That’s unpossible!
We’ll start to worry if you start speaking in regexes
<jtrucks> is there a way to have splunk tell me how much storage space is used by a certain type of traffic based on a search? e.g. source=mylog destport 53 | something to count storage usage here
<derkferz> jtrucks: | eval l=len(_raw) | stats sum(l) should get you close
<jtrucks> you people are geniuses
<derkferz> I’m not 100% sure on it, and it does leave out overhead
<alacer> geniusi? cactus + 1 = cacti……
<jtrucks> that in bytes?
<alacer> hmmm, english should be my first language…… but I think that was replace by splunk…
<derkferz> jtrucks: yeah, in bytes … some of the stuff it leaves out, though, includes the index overhead (tsidx and bloom filters)
<derkferz> and any indexed field values (sourcetype,source,host,etc)
<jtrucks> s’ok. I need a ballpark
<derkferz> … and, actual storage will be compressed
<jtrucks> see if I’m barking up the right tree
<derkferz> so, add some, take away some .. it’s a reasonable SWAG
* alacer SQUIREL!
<alacer> er.. SQUIRREL!
<alacer> see, not my first language any more
<jtrucks> but in terms of license usage, this will be what I need.
<^Brian^> alacer: back to kindergarten with you!
There must be…50 ways to see your indexer
Cerby and ^Brian^ count the ways:
<an0therb0> hello, how do i get information on what just ate up my indexing volume ?
<^Brian^> an0therb0: http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
<@Splunky> ^Brian^’s URL: “Community:TroubleshootingIndexedDataVolume – Splunk Wiki”
<cerby> search app -> status -> indexing activity -> indexing volume -> sort by host
<cerby> also: ^Brian^ knows what he’s talking about, I’m just full of crap. 😀
<an0therb0> thank you
<^Brian^> either way
<^Brian^> i’m just old school
Splunk love twofer
Exclamations of joy and ROI:
<zeroXten> splunk ftw \o/ time to find fault root cause: < 1 minute
Almost as good as jellybeans:
<johnebg> you can index 500mb of data daily for free, install it, start feeding it data, it’s like a pet, for your data
<Yorokobi> a pet that poops magic