Hello Folks,
I am trying to identify daily data ingestion for indexes. Based on this I want to calcualte storage requirement taking retention/RF/SF into account.
I am using below query to identify daily data rate but it seems it is not the correct way to identify as results are showing too much data beyond license capacity.
index=_internal source=*metrics.log group=per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) by series | addtotals fieldname=TotalDailyVolume(GB) | sort - _time
When I checked from Monitoring Console - License usage for last 30 days split by indexer - results are quite different and much less from above query.
I was under the impression that from query above we can get the daily data ingestion rate but look like i am missing something here.
Can you please advise and help me understanding this?
Thanks
↧