How to get total disk quota usage of a user OR rol...

claudiaG · ‎05-22-2023

Hello all,

since we can set the setting "srchDiskQuota" for each role in the authorize.conf I would like to know if there is a way to find out how much of the provided disk size has been really used by a specific role or user?

I want to make sure to not reach the srchDiskQuota limit soon.

Until now I couldnt find anything like this within the monitoring console.

Thanks for a short feedback would be really appreciated.

isoutamo · ‎06-01-2023

Hi

this is not a easy task 😞

If I have understood right that information has written to _introspection per user per search process. So there is no direct way to get it by role. You could get this information by

index=_introspection "data.search_props.role"=head data.written_mb>0 sourcetype=splunk_resource_usage "data.search_props.user"=<user account id>

I don't know how this is handling the already removed search files on disk? Those old search results are removed time by time from disk which decrease quota usage.

Anyhow you should look all users on individual role and then count those together.

There are examples for this on user level on splunkbase app Alerts For Splunk Admins. Those can found under "SearchHeadLevel - Users exceeding the disk quota*"

This App contains quite a many useful reports and alert. Thanx @gjanders for sharing this!

r. Ismo

How to get total disk quota usage of a user OR role?

monitoring console

resource usage

scheduler activity

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!