What search can list the Empty indexes which are n...

deepthi5 · ‎09-22-2022

Hi team,

I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so that i can remove those indexes and clean up my indexes.conf

Can we have a query or a way to find this

deepthi5 · ‎09-26-2022

This is taking tooo long when i run for All Time

johnhuang · ‎09-26-2022

Here's a way to see the current size and event count of your indexes:

| rest /services/data/indexes
| table title currentDBSizeMB totalEventCount
| rename title AS index_name
| stats sum(currentDBSizeMB) AS index_size_mb sum(totalEventCount) AS event_ct BY index_name

gcusello · ‎09-22-2022

Hi @deepthi5,

you have to put a list of your indexes in a lookup, called e.g. indexes.csv containing at least one column called index

then you have to run a search like the following:

| metasearch index=*
| stats count BY index
| append [ | inputlookup indexes.csv | eval count=0 | fields index count ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

What search can list the Empty indexes which are not sending data to splunk enterprise?

index

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

What search can list the Empty indexes which are not sending data to splunk enterprise?

index

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I