Solved: How can I duplicate the "Indexes" settings page?

adam_reber · ‎07-09-2015

I am wondering how the "Indexes" page under Settings is generated. Is there a way that I can pull the same information that is contained there without doing a search/summation over all of my data? This page loads instantly, so I assume it isn't performing any sort of search, and I'd like to use some of the information (like total index size, number of events, etc) in other places.

pradeepkumarg · ‎07-09-2015

Start by running the below search

|rest/servicesNS/nobody/search/data/indexes

View solution in original post

woodcock · ‎07-09-2015

You can some of the stuff like this:

|rest/services/properties/indexes
|rest/servicesNS/-/search/data/indexes

But to get every bit of usage stuff, you may need to mine the internal/introspection indices like DMC and SoS do. I would download those apps and take a look at their dashboards (in xml) and you should be able to copy the code directly from there and use it as-is (except for those that use data created by the SoS TA).

https://splunkbase.splunk.com/app/748/
http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole

pradeepkumarg · ‎07-09-2015

Start by running the below search

|rest/servicesNS/nobody/search/data/indexes

adam_reber · ‎07-10-2015

So it looks like almost everything I need is there, but I'm still missing some useful info. Is there a quick way to get the time information, (like first event, latest event) without performing a search over the whole index? This info is loaded instantly on the settings page, I figured it must be stored as metadata somewhere. The time info would be extremely helpful in identifying when data stops coming in to particular indexes.

adam_reber · ‎07-09-2015

Excellent, I figured it was something simple. Thanks!

How can I duplicate the "Indexes" settings page?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life