I need to generate a daily report in splunk with the list of all the indexes and their earliest event(timestamp) and their latest(timestamp). Is there a way to do it? I have the below queries.
For the start and end time:
| metadata type=sourcetypes index=XXX | stats min(firstTime) AS begin max(lastTime) AS end
For the list of indexes:
| eventcount summarize=false index=* dedup=index | top 0 index | fields index
Schedule this to run daily:
| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as maxTime first(minTime) as minTime first(now) as now first(currentDBSizeMB) as currentDBSizeMB by title
Awesome answer. For me this refinement was helpful.
| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as "Earliest Event Time" first(minTime) as "Latest Event Time" first(now) as "Current Date" first(currentDBSizeMB) as currentDBSizeMB by title
| rename title as "Index" | sort - currentDBSizeMB
| eval "Index Size in GB"= round(currentDBSizeMB/1000,2)
| table Index "Earliest Event Time" "Latest Event Time" "Current Date" "Index Size in GB"
Hello Andygerber,
I just believe you switched the Earliest with the latest in your search , Am i right ?
Thanks
Yes, I believe so... using a different account, or I would edit it. Corrected below:
| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(minTime) as "Earliest Event Time" first(maxTime) as "Latest Event Time" first(now) as "Current Date" first(currentDBSizeMB) as currentDBSizeMB by title
| rename title as "Index" | sort - currentDBSizeMB
| eval "Index Size in GB"= round(currentDBSizeMB/1000,2)
| table Index "Earliest Event Time" "Latest Event Time" "Current Date" "Index Size in GB"
Schedule this to run daily:
| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as maxTime first(minTime) as minTime first(now) as now first(currentDBSizeMB) as currentDBSizeMB by title
It is the total size of the index in MB at the time that the search was run.
does currentDBSizeMB lists the total index volume?
see my update above.
is it possible to add the index volume to the above genertated report?
That's why I am here 🙂
thanks thats exactly what i needed