Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to generate a timechart of each index showing ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to Splunk and I am trying to generate a timechart of each Splunk index showing its cumulative disk usage till now. So that I could do a predict of disk usage for future timestamps.
Thanks,
Sajeesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spent some time on this question because I thought it was pretty good. As it turns out, there isn't really an easy way to do this, but you can get pretty close using dbinspect. Note: I had to use a time range of 24 hours or the results were inaccurate. The searches below charted several months of data for me though.
Total disk usage for all indexes:
| dbinspect index=* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time | accum sizeOnDiskMB as TotalSizeOnDiskMB | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) as TotalSizeOnDiskGB
Total disk usage for a single index:
| dbinspect index=wineventlog splunk_server=se1* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time index | accum sizeOnDiskMB as TotalSizeOnDiskMB | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) by index
You could put the second search in a dashboard with a drop-down for index. I tried a few different ways to get Spunk to chart disk usage over time by index but could not get it to display the results accurately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spent some time on this question because I thought it was pretty good. As it turns out, there isn't really an easy way to do this, but you can get pretty close using dbinspect. Note: I had to use a time range of 24 hours or the results were inaccurate. The searches below charted several months of data for me though.
Total disk usage for all indexes:
| dbinspect index=* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time | accum sizeOnDiskMB as TotalSizeOnDiskMB | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) as TotalSizeOnDiskGB
Total disk usage for a single index:
| dbinspect index=wineventlog splunk_server=se1* | eval _time=startEpoch | bin _time span=1h | stats sum(sizeOnDiskMB) as sizeOnDiskMB by _time index | accum sizeOnDiskMB as TotalSizeOnDiskMB | eval TotalSizeOnDiskGB=round(TotalSizeOnDiskMB/1024)| timechart sum(TotalSizeOnDiskGB) by index
You could put the second search in a dashboard with a drop-down for index. I tried a few different ways to get Spunk to chart disk usage over time by index but could not get it to display the results accurately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much !!
The second search string for "Total disk usage for a single index" gives results similar to what I wanted.
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
