The Sumo Logic Audit and Volume indexes count against volume and will show up under the InternalCollector and InternalSource names of the volume index. These indexes are enabled as defined below
Sumo Logic Auditing:
- Go to Administration > Security > Policies.
- Next to Sumo Logic Auditing, select the Enable check box.
Data Volume Index:
- Go to the Administration > Account > Data Management page.
- Under Data Volume, select Enable.
Data send to Views, which are defined with non-aggregate queries will show up under the InternalCollector and InternalSource names of the volume index.
For both cases the following volume query will show the volume related to these Views.
_index=sumologic_volume AND _sourceCategory=view_volume
There are two ways this data may be displayed in the volume index.
a.) InternalCollector shows up under the Source Category of collector_volume. To get the size of InternalCollector, you can run the below query and you will notice a collector with name InternalCollector
_index=sumologic_volume _sourceCategory=collector_volume
| parse regex "\"(?<collector>(?:[^\"]+)|(?:\"\"))\"\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
| bytes/1024/1024/1024 as gbytes
| sum(gbytes) as gbytes by collector
b.) InternalSource shows up under the Source Category of source_volume. To get the size of InternalSource, you can run the below query and you will notice a source with name InternalSource
_index=sumologic_volume _sourceCategory=source_volume
| parse regex "\"(?<source>(?:[^\"]+)|(?:\"\"))\"\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
| bytes/1024/1024/1024 as gbytes
| sum(gbytes) as gbytes by source
Comments
0 comments
Please sign in to leave a comment.