Alerting

How to setup an alert if any index size goes over 90%?

arber
Communicator

Hello,
im trying to create an alert if any of the indexes i have is filled up with more than 90 % of it space? I found something but it gives results of the actual size of the indexes
| eventcount summarize=false report_size=true index=* | eval size_MB=size_bytes/(1024*1024)

but nothing regarding on the percentage that is used. maybe there is an app i can install that has this kind of searches ?

Any clue on this ?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi arber,

you can use this REST search:

| rest /services/data/indexes | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc

and create an alert out of it.

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi arber,

you can use this REST search:

| rest /services/data/indexes | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc

and create an alert out of it.

hope this helps ...

cheers, MuS

arber
Communicator

Never mind i found it 🙂 . Just add the splunk_server
| rest /services/data/indexes | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc splunk_server

0 Karma

Abilan1
Path Finder

Hi ,

I would like to set up alert for only one specific index..this query shows all the index. Please let me know how can i get it only for that specific index?

Thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

un-tested since no Splunk available at this time of the day; but try:

| rest /services/data/indexes | search title=TheIndexYouWant | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc

Abilan1
Path Finder

hey,

it is working... Thanks!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Feel free to up-vote this comment and/or answer 😉

arber
Communicator

Im trying to run this from our main splunk instance. Basically it shows all indexes of all indexers that we have in our infrastructure. But is there a way to tell that this index is from this indexer and so.. Because at the moment with this command you cannot get this info..

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma

arber
Communicator

thanks a lot

0 Karma

arber
Communicator

Thanks a lot it works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...