topic Re: Rest command from saved search in Getting Data In

Rest command from saved search

reed_kelly — Mon, 28 Jan 2013 01:51:06 GMT

I'm trying to capture index disk utilization to a summary index using a rest command. The command is something like:
|rest /services/data/indexes |table splunk_server,title,currentDBSizeMB

This produces a nice table with indexers, indexes and how much disk space each index is taking.

When I run this from a scheduled search, however, I get the following warning in the Inspect screen:
...
WARN: Unable to fetch REST endpoint '/services/data/indexes' from "

In addition, nothing shows up in the specified summary index.

Any suggestions for getting disk utilization by index saved to a summary index for trend reporting?

Search head is Splunk 4.3.1.

Re: Rest command from saved search

reed_kelly — Mon, 28 Jan 2013 02:27:09 GMT

Update: I tried adding "|collect index=my_summary" to the end of the search and nothing was saved to the summary index. It didn't matter if I ran it interactively. I can see the results in the GUI, but nothing gets written to the summary index.

Re: Rest command from saved search

MarioM — Mon, 28 Jan 2013 09:17:01 GMT

i am not sure if it is a typo but "server" doesnot exist(splunk_server is the right field) and when i do the following it works for me:

| rest /services/data/indexes | table splunk_server,title,currentDBSizeMB | sort - currentDBSizeMB | collect index=summary_rest

Re: Rest command from saved search

reed_kelly — Mon, 28 Jan 2013 13:08:48 GMT

Are you saying that your summary index gets populated? What version are you running?

Re: Rest command from saved search

reed_kelly — Mon, 28 Jan 2013 13:34:29 GMT

OK. It's working now. I have no idea why it took so long to populate. The typo was in the above question, but it was not in the query on the server. I don't have an explanation, but I'm going to accept your answer.

Re: Rest command from saved search

MarioM — Mon, 28 Jan 2013 17:22:20 GMT

for records i am running v5.0.1