What search can list the Empty indexes which are n...

deepthi5 · ‎09-22-2022

Hi team,

I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so that i can remove those indexes and clean up my indexes.conf

Can we have a query or a way to find this

deepthi5 · ‎09-26-2022

This is taking tooo long when i run for All Time

johnhuang · ‎09-26-2022

Here's a way to see the current size and event count of your indexes:

| rest /services/data/indexes
| table title currentDBSizeMB totalEventCount
| rename title AS index_name
| stats sum(currentDBSizeMB) AS index_size_mb sum(totalEventCount) AS event_ct BY index_name

gcusello · ‎09-22-2022

Hi @deepthi5,

you have to put a list of your indexes in a lookup, called e.g. indexes.csv containing at least one column called index

then you have to run a search like the following:

| metasearch index=*
| stats count BY index
| append [ | inputlookup indexes.csv | eval count=0 | fields index count ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

What search can list the Empty indexes which are not sending data to splunk enterprise?

index

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash