Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search to find indexes with events and display index size, total events , earliest and latest events per index

mlevsh
Builder
‎02-21-2019 06:04 PM

Hi,

what would be the best way to find indexes with events and display its size, total events , earliest and latest events per index
on index cluster?

index      size      total_events     earliest event       latest event
alfa1        12Gb     1,000,000       2/2/2017 10:09    2/21/2019 9:01PM
alfa2       1Gb        90,000         1/1/2015  09:34   2/21/2109 9:02PM

Thank you in advance!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2019 07:04 AM

Use dbinspect (and a stats command after dbinspect) to get those information.

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Dbinspect

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2019 07:04 AM

Use dbinspect (and a stats command after dbinspect) to get those information.

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Dbinspect

0 Karma
Reply
Solved! Jump to solution

andhika_pratama
Explorer
‎02-22-2019 02:11 AM
  1. make a shell script to monitor directory size for each apps
  2. create monitor in inputs.conf with specified index & sourcetype and link it to shell script for each apps
  3. Make a field from selected pattern, name it index_size
  4. use querry: index=existing_index_0 OR index=existing_index_n |stats latest(index_size) as Size, count as total_events, earliest(_time) as FirstAppearance, latest(_time) as LastAppearance | fieldformat FirstAppearance=strftime(FirstAppearance,"%x %X") | fieldformat LastAppearance=strftime(LastAppearance,"%x %X")
Reply
Solved! Jump to solution

MuS
Legend
‎02-21-2019 06:12 PM

Hi mlevsh,

Don't re-invent the wheel, take a look at the Monitoring Console inside Splunk Settings >> Monitoring Console it contains dashboards that will show exactly what you want. Read more about the monitoring console here https://docs.splunk.com/Documentation/Splunk/latest/DMC/IndexingIndexesandvolumes

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

mlevsh
Builder
‎02-21-2019 07:47 PM

@MuS , unfortunately it won't help. dashboard needs to be a little different in order to see info about indexes with events only and no events

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...