Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What search can list the Empty indexes which are not sending data to splunk enterprise?

deepthi5
Path Finder
‎09-22-2022 07:25 AM

Hi team,

I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so that i can remove those indexes and clean up my indexes.conf 

 

Can we have a query or a way to find this 

Labels (1)
Labels
0 Karma
Reply

deepthi5
Path Finder
‎09-26-2022 09:31 AM

This is taking tooo long when i run for All Time 

0 Karma
Reply

johnhuang
Motivator
‎09-26-2022 05:11 PM

Here's a way to see the current size and event count of your indexes:

| rest /services/data/indexes
| table title currentDBSizeMB totalEventCount
| rename title AS index_name
| stats sum(currentDBSizeMB) AS index_size_mb sum(totalEventCount) AS event_ct BY index_name

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 07:31 AM

Hi @deepthi5,

you have to put a list of your indexes in a lookup, called e.g. indexes.csv containing at least one column called index

then you have to run a search like the following:

| metasearch index=*
| stats count BY index
| append [ | inputlookup indexes.csv | eval count=0 | fields index count ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top