Splunk Search

How to find out unused indexes in DMC?

AbilashSe
Explorer

Could anyone please help to find out unused indexes in Splunk DMC

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AbilashSe,
if you want to see unused indexes you could go in [Indexing -- Indexes and Volumes -- Index Detail: Deployment], and see for each Index if it doesn't receive logs for a long time.
If you want a report of last and first event of each index use something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes | table title maxTime minTime

Bye.
Giuseppe

0 Karma

faisal_mansour
Loves-to-Learn Lots

Thanks for the query, i developed it to be something usable....

 

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| stats max(maxTime) AS latestEvent BY title
| eval elapsedTime = now() - strptime(latestEvent,"%Y-%m-%dT%H:%M:%S%z"),  daysSince = ceiling(elapsedTime / 86400)
| eval daysSinceLastEvent = case(daysSince<0, -1, daysSince=0, 0, daysSince>0,daysSince)
| eval indexStatus = case(daysSinceLastEvent>730, "Nothing Since 2 years",
                          daysSinceLastEvent<730 AND daysSinceLastEvent>365, "Nothing Since last year", 
                          daysSinceLastEvent<365 AND daysSinceLastEvent>0, "used in last year",
                          daysSinceLastEvent=0, "Till today",
                          daysSinceLastEvent<0, "bad future timestamp")
| fields title latestEvent daysSinceLastEvent indexStatus
Tags (1)
0 Karma

AbilashSe
Explorer

Hi Giuseppe,

Thanks for the update..
I would like to get the count of unused indexes.

could you please help me.?

Regards,
Abilash

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AbilashSe,
when you say "unused indexes", do you mean:

  • indexes without events,
  • indexes with events older than a date (e.g. "2017-09-04 8:00:00")?

in first case

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes
| eval indexSizeGB = if(currentDBSizeMB >= 1 AND totalEventCount >=1, currentDBSizeMB/1024, null())
| stats  sum(indexSizeGB) AS totalSize BY title 
| where totalSize=0
| table title 

In the second case run something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| eval 
     time_limit=strptime("2017-09-04 8:00:00","%Y-%m-%d %H:%M:%S"),
     maxTime=strptime(time_limit,"%Y-%m-%dT%H:%M:%S")
| where maxTime<time_limit
| table title maxTime minTime

Bye.
Giuseppe

0 Karma

inventsekar
Ultra Champion

unused indexes meaning, indexes that didnt receive data for how long? or never received any data at all?!?! (empty index)

0 Karma

AbilashSe
Explorer

Indexes which didn't receive data for long time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...