Solved: Search for raw size of multiple indexes in Dashboa...

skirven · ‎08-20-2020

Hi! I'm trying to set up a dashboard for users to be able to see how much raw data size they used over time and have users be able to select multiple indexes. (Note here: I do have most of my indexes sending this data daily to a Summary Index. I'm still working to clean up indexes, so this is a more real time option).

I'm trying to figure out what I may be doing wrong in this method? I get no results, when I feel I should. I've looked and looked and can't find a solution.

| gentimes start=-1 
| eval multi_index="activate_web main"
| makemv multi_index delim=" "
| mvexpand multi_index
| search index=multi_index
| eval raw_len=len(_raw) 
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index  "Size in GB"

I'm trying to get the "multi-index" to do something like (Index=main OR index=activate_web) I did find this, which got me closer, but I'm not sure here what I'm missing: https://community.splunk.com/t5/Getting-Data-In/Form-with-a-multi-line-text-box-that-will-OR-every-l...

Thanks!
Stephen

Richfez · ‎08-20-2020

Aha! You must be running that over, like, "today" or yesterday or whatever, to get a size of events from the last X period. OK, that makes sense.

First, the method Ayn proposed in your link only works with subsearches.

The equivalent might be...

[ | makeresults
  | eval index="activate_web main"
  | makemv index
  | mvexpand index]
| eval raw_len=len(_raw)
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index "Size in GB"

Try that one. 🙂

View solution in original post

Richfez · ‎08-20-2020

Perhaps it might be easier to base it off this data?

| rest /services/data/indexes count=0

For instance,

| rest /services/data/indexes count=0 
| table title currentDBSizeMB

And you can certainly filter that.

| rest /services/data/indexes count=0 
| search title!="_*" eai:acl.owner="nobody" eai:acl.perms.write="admin"
| table eai:acl.app eai:acl.owner currentDBSizeMB 
| rename eai:acl.app AS "App", eai:acl.owner AS "Owner", currentDBSizeMB AS "Current Size (MB)"

(count=0 is there to make sure if you have more than 30 indexes, it lists them all)

Happy Splunking,

Rich

skirven · ‎08-20-2020

@Richfez - What I'm actually trying to do is create a report for the licensed consumption by index for specific indices, and have those values totaled (and use a Dashboard). The REST call, I don't believe, gives you the licensed volume.

As previously noted, I am doing some work with the "Chargeback" app, which dumps some of my index info into the system. (We've got over 400 indices, and 150 are empty. This would be to help combine some data, and retire some technical debt)

One thing I could probably do is just have the Input panel select the indexes, then use the "index IN ( $index$ ) idea, but I'm curious why my makemv didn't work?

Thanks,

Stephen

Richfez · ‎08-20-2020

Aha! You must be running that over, like, "today" or yesterday or whatever, to get a size of events from the last X period. OK, that makes sense.

First, the method Ayn proposed in your link only works with subsearches.

The equivalent might be...

[ | makeresults
  | eval index="activate_web main"
  | makemv index
  | mvexpand index]
| eval raw_len=len(_raw)
| stats sum(raw_len) AS event_size by index
| eval "Size in GB"=event_size/1024/1024/1024
| sort - event_size
| table index "Size in GB"

Try that one. 🙂

skirven · ‎08-20-2020

That did it! Looks like I didn't have my syntax correct! Thank you very much!

-Stephen

Search for raw size of multiple indexes in Dashboard

chart

panel

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes