Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What search can list the Empty indexes which are not sending data to splunk enterprise?

deepthi5
Path Finder
‎09-22-2022 07:25 AM

Hi team,

I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so that i can remove those indexes and clean up my indexes.conf 

 

Can we have a query or a way to find this 

Labels (1)
Labels
0 Karma
Reply

deepthi5
Path Finder
‎09-26-2022 09:31 AM

This is taking tooo long when i run for All Time 

0 Karma
Reply

johnhuang
Motivator
‎09-26-2022 05:11 PM

Here's a way to see the current size and event count of your indexes:

| rest /services/data/indexes
| table title currentDBSizeMB totalEventCount
| rename title AS index_name
| stats sum(currentDBSizeMB) AS index_size_mb sum(totalEventCount) AS event_ct BY index_name

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 07:31 AM

Hi @deepthi5,

you have to put a list of your indexes in a lookup, called e.g. indexes.csv containing at least one column called index

then you have to run a search like the following:

| metasearch index=*
| stats count BY index
| append [ | inputlookup indexes.csv | eval count=0 | fields index count ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...