- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Rest command from saved search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to capture index disk utilization to a summary index using a rest command. The command is something like:
|rest /services/data/indexes |table splunk_server,title,currentDBSizeMB
This produces a nice table with indexers, indexes and how much disk space each index is taking.
When I run this from a scheduled search, however, I get the following warning in the Inspect screen:
...
WARN: Unable to fetch REST endpoint '/services/data/indexes' from "
In addition, nothing shows up in the specified summary index.
Any suggestions for getting disk utilization by index saved to a summary index for trend reporting?
Search head is Splunk 4.3.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not sure if it is a typo but "server" doesnot exist(splunk_server is the right field) and when i do the following it works for me:
| rest /services/data/indexes | table splunk_server,title,currentDBSizeMB | sort - currentDBSizeMB | collect index=summary_rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not sure if it is a typo but "server" doesnot exist(splunk_server is the right field) and when i do the following it works for me:
| rest /services/data/indexes | table splunk_server,title,currentDBSizeMB | sort - currentDBSizeMB | collect index=summary_rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for records i am running v5.0.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. It's working now. I have no idea why it took so long to populate. The typo was in the above question, but it was not in the query on the server. I don't have an explanation, but I'm going to accept your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that your summary index gets populated? What version are you running?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: I tried adding "|collect index=my_summary" to the end of the search and nothing was saved to the summary index. It didn't matter if I ran it interactively. I can see the results in the GUI, but nothing gets written to the summary index.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
