Dashboards & Visualizations

How to generate a timechart of each index showing its cumulative disk usage so that I could predict the disk usage for future timestamps ?

sajeeshpn
New Member

Hi,

I am new to Splunk and I am trying to generate a timechart of each Splunk index showing its cumulative disk usage till now. So that I could do a predict of disk usage for future timestamps.

Thanks,
Sajeesh

Tags (1)
0 Karma
1 Solution

masonmorales
Influencer

I spent some time on this question because I thought it was pretty good. As it turns out, there isn't really an easy way to do this, but you can get pretty close using dbinspect. Note: I had to use a time range of 24 hours or the results were inaccurate. The searches below charted several months of data for me though.

Total disk usage for all indexes:

| dbinspect index=* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time | accum sizeOnDiskMB as TotalSizeOnDiskMB  | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) as TotalSizeOnDiskGB

Total disk usage for a single index:

| dbinspect index=wineventlog splunk_server=se1* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time index | accum sizeOnDiskMB as TotalSizeOnDiskMB  | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) by index

You could put the second search in a dashboard with a drop-down for index. I tried a few different ways to get Spunk to chart disk usage over time by index but could not get it to display the results accurately.

View solution in original post

0 Karma

masonmorales
Influencer

I spent some time on this question because I thought it was pretty good. As it turns out, there isn't really an easy way to do this, but you can get pretty close using dbinspect. Note: I had to use a time range of 24 hours or the results were inaccurate. The searches below charted several months of data for me though.

Total disk usage for all indexes:

| dbinspect index=* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time | accum sizeOnDiskMB as TotalSizeOnDiskMB  | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) as TotalSizeOnDiskGB

Total disk usage for a single index:

| dbinspect index=wineventlog splunk_server=se1* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time index | accum sizeOnDiskMB as TotalSizeOnDiskMB  | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) by index

You could put the second search in a dashboard with a drop-down for index. I tried a few different ways to get Spunk to chart disk usage over time by index but could not get it to display the results accurately.

0 Karma

sajeeshpn
New Member

Thank you very much !!

The second search string for "Total disk usage for a single index" gives results similar to what I wanted.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...