Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Rest command from saved search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to capture index disk utilization to a summary index using a rest command. The command is something like:
|rest /services/data/indexes |table splunk_server,title,currentDBSizeMB
This produces a nice table with indexers, indexes and how much disk space each index is taking.
When I run this from a scheduled search, however, I get the following warning in the Inspect screen:
...
WARN: Unable to fetch REST endpoint '/services/data/indexes' from "
In addition, nothing shows up in the specified summary index.
Any suggestions for getting disk utilization by index saved to a summary index for trend reporting?
Search head is Splunk 4.3.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not sure if it is a typo but "server" doesnot exist(splunk_server is the right field) and when i do the following it works for me:
| rest /services/data/indexes | table splunk_server,title,currentDBSizeMB | sort - currentDBSizeMB | collect index=summary_rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not sure if it is a typo but "server" doesnot exist(splunk_server is the right field) and when i do the following it works for me:
| rest /services/data/indexes | table splunk_server,title,currentDBSizeMB | sort - currentDBSizeMB | collect index=summary_rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for records i am running v5.0.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. It's working now. I have no idea why it took so long to populate. The typo was in the above question, but it was not in the query on the server. I don't have an explanation, but I'm going to accept your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that your summary index gets populated? What version are you running?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: I tried adding "|collect index=my_summary" to the end of the search and nothing was saved to the summary index. It didn't matter if I ran it interactively. I can see the results in the GUI, but nothing gets written to the summary index.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
