Monitoring Splunk

How to get total disk quota usage of a user OR role?


Hello all,

since we can set the setting "srchDiskQuota" for each role in the authorize.conf I would like to know if there is a way to find out how much of the provided disk size has been really used by a specific role or user? 

I want to make sure to not reach the srchDiskQuota limit soon.

Until now I couldnt find anything like this within the monitoring console.

Thanks for a short feedback would be really appreciated.

0 Karma



this is not a easy task 😞

If I have understood right that information has written to _introspection per user per search process. So there is no direct way to get it by role. You could get this information by 

index=_introspection "data.search_props.role"=head data.written_mb>0 sourcetype=splunk_resource_usage "data.search_props.user"=<user account id>

I don't know how this is handling the already removed search files on disk? Those old search results are removed time by time from disk which decrease quota usage.

Anyhow you should look all users on individual role and then count those together.

There are examples for this on user level on splunkbase app Alerts For Splunk Admins. Those can found under "SearchHeadLevel - Users exceeding the disk quota*"

This App contains quite a many useful reports and alert. Thanx @gjanders for sharing this!

r. Ismo

Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...