How to edit my search to find the number of retent...

sai_kumar_bolla · ‎01-13-2016

I have the following search to calculate the RetentionDays of all the indexes in a cluster, but I'm unable to fetch the RetentionDays of the specific index name out of the results which has returned by the below search.

| rest/services/data/indexes splunk_server="*-splunkp*" | stats max(eval(round(frozenTimePeriodInSecs/86400))) as RetentionDays by title | rename title as index

This search returns multiple indexes and for an instance, I need only book_core from the search. How do I filter it?

somesoni2 · ‎01-13-2016

Try like this

| rest/services/data/indexes splunk_server="-splunkp" | search title="book_core" | stats max(eval(round(frozenTimePeriodInSecs/86400))) as RetentionDays by title | rename title as index

sai_kumar_bolla · ‎01-13-2016

Great!!. It worked and thanks!!

acharlieh · ‎01-13-2016

Depending on your number of indexes and goals, you may want to consider

| rest /services/data/indexes/book_core splunk_server="*-splunkp*" | stats ...

instead of filtering with search. As /data/indexes will only return 30 indexes per server, unless you tweak the count parameter, but then you could be getting back much more data than you wanted/needed from each indexer.

How to edit my search to find the number of retention days (frozenTimePeriodInSecs/86400) for a specific index?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability