Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What search can list the Empty indexes which are not sending data to splunk enterprise?

deepthi5
Path Finder
‎09-22-2022 07:25 AM

Hi team,

I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so that i can remove those indexes and clean up my indexes.conf 

 

Can we have a query or a way to find this 

Labels (1)
Labels
0 Karma
Reply

deepthi5
Path Finder
‎09-26-2022 09:31 AM

This is taking tooo long when i run for All Time 

0 Karma
Reply

johnhuang
Motivator
‎09-26-2022 05:11 PM

Here's a way to see the current size and event count of your indexes:

| rest /services/data/indexes
| table title currentDBSizeMB totalEventCount
| rename title AS index_name
| stats sum(currentDBSizeMB) AS index_size_mb sum(totalEventCount) AS event_ct BY index_name

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 07:31 AM

Hi @deepthi5,

you have to put a list of your indexes in a lookup, called e.g. indexes.csv containing at least one column called index

then you have to run a search like the following:

| metasearch index=*
| stats count BY index
| append [ | inputlookup indexes.csv | eval count=0 | fields index count ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...