Dashboards & Visualizations

Search for raw size of multiple indexes in Dashboard

skirven
Communicator

Hi! I'm trying to set up a dashboard for users to be able to see how much raw data size they used over time and have users be able to select multiple indexes. (Note here: I do have most of my indexes sending this data daily to a Summary Index. I'm still working to clean up indexes, so this is a more real time option).

I'm trying to figure out what I may be doing wrong in this method? I get no results, when I feel I should. I've looked and looked and can't find a solution.

 

 

 

| gentimes start=-1 
| eval multi_index="activate_web main"
| makemv multi_index delim=" "
| mvexpand multi_index
| search index=multi_index
| eval raw_len=len(_raw) 
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index  "Size in GB"

 

 

 

I'm trying to get the "multi-index" to do something like (Index=main OR index=activate_web) I did find this, which got me closer, but I'm not sure here what I'm missing: https://community.splunk.com/t5/Getting-Data-In/Form-with-a-multi-line-text-box-that-will-OR-every-l...

Thanks!
Stephen

Labels (2)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Aha!  You must be running that over, like, "today" or yesterday or whatever, to get a size of events from the last X period.  OK, that makes sense.

First, the method Ayn proposed in your link only works with subsearches.

The equivalent might be...

[ | makeresults
  | eval index="activate_web main"
  | makemv index
  | mvexpand index]
| eval raw_len=len(_raw)
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index "Size in GB"

 

Try that one.  🙂

 

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Perhaps it might be easier to base it off this data?

| rest /services/data/indexes count=0

For instance,

| rest /services/data/indexes count=0 
| table title currentDBSizeMB

And you can certainly filter that.

| rest /services/data/indexes count=0 
| search title!="_*" eai:acl.owner="nobody" eai:acl.perms.write="admin"
| table eai:acl.app eai:acl.owner currentDBSizeMB 
| rename eai:acl.app AS "App", eai:acl.owner AS "Owner", currentDBSizeMB AS "Current Size (MB)"

 

(count=0 is there to make sure if you have more than 30 indexes, it lists them all)

Happy Splunking,

Rich

0 Karma

skirven
Communicator

@Richfez - What I'm actually trying to do is create a report for the licensed consumption by index for specific indices, and have those values totaled (and use a Dashboard). The REST call, I don't believe, gives you the licensed volume.

As previously noted, I am doing some work with the "Chargeback" app, which dumps some of my index info into the system. (We've got over 400 indices, and 150 are empty. This would be to help combine some data, and retire some technical debt)

One thing I could probably do is just have the Input panel select the indexes, then use the "index IN ( $index$ ) idea, but I'm curious why my makemv didn't work?

Thanks,

Stephen

 

0 Karma

Richfez
SplunkTrust
SplunkTrust

Aha!  You must be running that over, like, "today" or yesterday or whatever, to get a size of events from the last X period.  OK, that makes sense.

First, the method Ayn proposed in your link only works with subsearches.

The equivalent might be...

[ | makeresults
  | eval index="activate_web main"
  | makemv index
  | mvexpand index]
| eval raw_len=len(_raw)
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index "Size in GB"

 

Try that one.  🙂

 

skirven
Communicator

That did it! Looks like I didn't have my syntax correct! Thank you very much!

-Stephen

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...