Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me craft a search that returns all indexes with their associated retention times?

awmorris
Path Finder
‎09-06-2018 06:49 AM

Technically, this is two questions in one with the goal of solving a single problem: I need an SPL query that returns ALL the indexes I can search and the associated retention time for each. Here is how far I've gotten:

| rest /services/data/indexes | eval yr = floor(frozenTimePeriodInSecs/86400/365)| eval dy = (frozenTimePeriodInSecs/86400) % 365 | eval ret = yr . " years, " . dy . " days" | stats list(splunk_server) list(frozenTimePeriodInSecs) list(ret) by title

The query above is very very close, but it only returns a subset of the indexes — technically, it only returns 32 index names to me, and I have many more than that. (Note- starting with "rest /services/admin/indexes ... " makes no difference either.

My second query is this:

| eventcount summarize=false index=* index=_* | dedup index | fields index

That will return all 250+ index names, but I can't seem to find anyway to get back to the retention period.

So my two questions are:
1) Why is the rest command only pulling a subset (<15%) of all indexes that are returned by the event count query?
2) How can I get a single query that gets to my goal to have a single SPL query that shows all 250+ indexes and their associated retention setting?

Tags (2)
Reply

woodcock
Esteemed Legend
‎11-25-2019 06:57 AM

There is a search on the Monitoring Console that gives you most of this but it is missing a piece: how to see what your actual effective retention is based on the buckets that are freezing. You can see that part with this search:

index="_internal" AND sourcetype="splunkd" AND bucketmover AND freeze 
| rex "[\/\\\](?<indexname>[^\/\\\]*)[\/\\\][^\/\\\]*db[\/\\\]db_(?<newestTime>\d+)_(?<oldestTime>\d+)_\d+" 
| rex "db_(?<newestTime>\d+)_(?<oldestTime>\d+)_\d+.*?[\/\\\](?<indexname>[^\/\\\]*)[\/\\\][^\/\\\]*db" 
| sort 0 indexname - oldestTime
| dedup indexname 
| eval retention = _time - oldestTime 
| fieldformat retention = tostring(retention, "duration") 
| table _time indexname retention
0 Karma
Reply

bandit
Motivator
‎11-24-2019 07:41 PM

Dashboard to interactively review index parameters and their values:

<form theme="dark">
  <label>Indexes</label>
  <fieldset submitButton="false">
    <input type="text" token="title_pattern" searchWhenChanged="true">
      <label>Index Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="title_list" searchWhenChanged="true">
      <label>Index List (,separated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="title" searchWhenChanged="true">
      <label>Index</label>
      <choice value="*">All</choice>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /services/data/indexes 
| search title="*$title_pattern$*" title IN($title_list$)
| dedup title
| table title 
| sort title</query>
        <earliest>-1m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="parameter_pattern" searchWhenChanged="true">
      <label>Parameter Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="parameter_list" searchWhenChanged="true">
      <label>Parameter List  (,separated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="parameter" searchWhenChanged="true">
      <label>Parameter</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>parameter</fieldForLabel>
      <fieldForValue>parameter</fieldForValue>
      <search>
        <query>| rest /services/data/indexes 
| search title=$title$ title="*$title_pattern$*" title IN($title_list$) 
| transpose 0 column_name="parameter" header_field="title" 
| search parameter="*$parameter_pattern$*" parameter IN($parameter_list$) NOT parameter="parameter"
| table parameter</query>
        <earliest>-1m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="value_pattern" searchWhenChanged="true">
      <label>Value Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="value" searchWhenChanged="true">
      <label>Value (exact)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Index Parameters</title>
      <table>
        <search>
          <query>| rest /services/data/indexes 
| search title=$title$ title="*$title_pattern$*" title IN($title_list$) 
| transpose 0 column_name="parameter" header_field="title" 
| search parameter="*$parameter_pattern$*" parameter IN($parameter_list$) parameter="$parameter$" 
| untable parameter title value 
| table title parameter value 
| eval {parameter}=value 
| search value="*$value_pattern$*" value="$value$" 
| table title parameter value 
| chart limit=1000000 values(value) as value by parameter title</query>
          <earliest>-30m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">15</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

awmorris
Path Finder
‎09-06-2018 11:41 AM

Updated info: If I use an account with Administrator privileges, I get the full list- not just the 32- so it must be a permission thing somehow.

0 Karma
Reply

renjith_nair
Legend
‎09-06-2018 07:58 AM

@awmorris,

By default, maximum number of entries returned is 30. Please refer to this documentation : 

Maximum number of entries to return. Set value to 0 to get all available entries.

http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTprolog#Pagination_and_filtering_parame...

Try

| rest /services/data/indexes count=0 to override the default vlaue

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

awmorris
Path Finder
‎09-06-2018 10:02 AM

Good call out on the count limit.... but i still only get 32. 😞

0 Karma
Reply

renjith_nair
Legend
‎09-06-2018 07:34 PM

@awmorris,

Also check the permissions as mentioned in the doc http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTintrospect#data.2Findexes

**Authorization and authentication**
By default, all users can list all indexes. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability.

To enable indexes_list_all capability restrictions on the data/indexes endpoint, create a [capability::indexes_list_all] stanza in authorize.conf. Specify indexes_list_all=enabled for any role permitted to list all indexes from this endpoint.
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

adonio
Ultra Champion
‎09-06-2018 07:53 AM

tried your top search and it works nice
can you double check?
or try this and use your evals
| rest /services/data/indexes-extended
| table title frozenTimePeriodInSecs

0 Karma
Reply

awmorris
Path Finder
‎09-06-2018 10:03 AM

I reran it again.... even this simple query ONLY returns 32 indexes:

"| rest /services/data/indexes-extended | table title frozenTimePeriodInSecs"

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2018 07:50 AM

| rest /services/data/indexes -
technically, it only returns 32 index names to me and i have many more than that ?!?!?
may i know why it returns only 32?!?! on my splunk, it returns more than 2000 indexes.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

awmorris
Path Finder
‎09-06-2018 10:01 AM

this is the exact scenario i am facing.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...