- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What is the Average Usage in the MC’s Indexes ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the following -
What is the Average Usage % and the 90th Percentile Usage % of the indexes in the Monitoring Console?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ddrillic,
there must be some misunderstanding here; the usage is not related if users are searching these indexes, it is related to size (eq disk/space usage) of the index.
If you look at the search you will get a better understanding:
| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes datatype=all
| join title splunk_server type=outer [rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes-extended datatype=all]
| `dmc_exclude_indexes`
| eval elapsedTime = now() - strptime(minTime,"%Y-%m-%dT%H:%M:%S%z")
| eval dataAge = ceiling(elapsedTime / 86400)
| eval indexSizeGB = if(currentDBSizeMB >= 1 AND totalEventCount >=1, currentDBSizeMB/1024, null())
| eval maxSizeGB = maxTotalDataSizeMB / 1024
| eval sizeUsagePerc = indexSizeGB / maxSizeGB * 100 | stats dc(splunk_server) AS Instances
count(indexSizeGB) as "Non-Empty Instances"
sum(indexSizeGB) AS totalSize
avg(indexSizeGB) as averageSize
avg(sizeUsagePerc) as averageSizePerc
perc90(sizeUsagePerc) as ninetyPercentileSizePerc
count(eval(sizeUsagePerc > 95)) as instancesFreezingDueToSize
median(dataAge) as medianDataAge
max(dataAge) as oldestDataAge
count(eval(elapsedTime > frozenTimePeriodInSecs)) as instancesFreezingDueToAge
sum(frozenTimePeriodInSecs) as infiniteFreezingFlag
by title, datatype
Hope this helps to understand the meaning.
If not post a feedback on the docs page as woodcock mentioned.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ddrillic,
there must be some misunderstanding here; the usage is not related if users are searching these indexes, it is related to size (eq disk/space usage) of the index.
If you look at the search you will get a better understanding:
| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes datatype=all
| join title splunk_server type=outer [rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes-extended datatype=all]
| `dmc_exclude_indexes`
| eval elapsedTime = now() - strptime(minTime,"%Y-%m-%dT%H:%M:%S%z")
| eval dataAge = ceiling(elapsedTime / 86400)
| eval indexSizeGB = if(currentDBSizeMB >= 1 AND totalEventCount >=1, currentDBSizeMB/1024, null())
| eval maxSizeGB = maxTotalDataSizeMB / 1024
| eval sizeUsagePerc = indexSizeGB / maxSizeGB * 100 | stats dc(splunk_server) AS Instances
count(indexSizeGB) as "Non-Empty Instances"
sum(indexSizeGB) AS totalSize
avg(indexSizeGB) as averageSize
avg(sizeUsagePerc) as averageSizePerc
perc90(sizeUsagePerc) as ninetyPercentileSizePerc
count(eval(sizeUsagePerc > 95)) as instancesFreezingDueToSize
median(dataAge) as medianDataAge
max(dataAge) as oldestDataAge
count(eval(elapsedTime > frozenTimePeriodInSecs)) as instancesFreezingDueToAge
sum(frozenTimePeriodInSecs) as infiniteFreezingFlag
by title, datatype
Hope this helps to understand the meaning.
If not post a feedback on the docs page as woodcock mentioned.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Much appreciated @MuS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whenever I have questions like this I try to find the appropriate documentation page (start here: https://docs.splunk.com/Documentation/Splunk/latest/DMC/HowtheDMCworks) and go to the bottom and click No in the Was this topic useful? section and explain what is missing. Splunk's documentation team ROCKS and their docs are the best I have ever seen. You WILL get an answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @woodcock.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ddrillic,
you might have to add more context around this question, because the average usage and the 90th percentile usage of your deployment is exactly what it tells you it is: the overall average usage in % and the 90th percentile usage in % over all indexers that are configured to be used in this MC instance.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MuS , so I see indexes with Average Usage % of zero and I wonder what it means. Does it mean that no queries were issued against them in a certain time frame? If so, what's the time frame?
I just wonder if these indexes are good candidates to be removed from the system...
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
