Splunk Search

How to create a search to find out unused indexes?

kteng2024
Path Finder

I am looking for indexes which are utilizing only 10%-20% of storage allocated to them. Can i please know is there any query to find out that.I know that we can look into DMC but i specifically need only the indexes that uses only 10%-20% of storage for last 30 days.

Labels (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are you planning to decide on what the total storage allocated for an index? An index can go to maximum size as defined in maxTotalDataSizeMB = * The maximum size of an index (in MB) OR based on retention period as defined in frozenTimePeriodInSecs= * Number of seconds after which indexed data rolls to frozen.

0 Karma

Dey1
New Member

Can you help with a query to find out which indexs are not used 

0 Karma

adonio
Ultra Champion

try this

    | rest /services/data/indexes-extended
    | table title currentDBSizeMB maxTotalDataSizeMB
    | eval percent_full = round(currentDBSizeMB/maxTotalDataSizeMB*100, 2)
     rename COMMENT as "now you can add your where or search clause"
    | where percent_full =<20

hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...