Monitoring Splunk

How to get total disk quota usage of a user OR role?


Hello all,

since we can set the setting "srchDiskQuota" for each role in the authorize.conf I would like to know if there is a way to find out how much of the provided disk size has been really used by a specific role or user? 

I want to make sure to not reach the srchDiskQuota limit soon.

Until now I couldnt find anything like this within the monitoring console.

Thanks for a short feedback would be really appreciated.

0 Karma



this is not a easy task 😞

If I have understood right that information has written to _introspection per user per search process. So there is no direct way to get it by role. You could get this information by 

index=_introspection "data.search_props.role"=head data.written_mb>0 sourcetype=splunk_resource_usage "data.search_props.user"=<user account id>

I don't know how this is handling the already removed search files on disk? Those old search results are removed time by time from disk which decrease quota usage.

Anyhow you should look all users on individual role and then count those together.

There are examples for this on user level on splunkbase app Alerts For Splunk Admins. Those can found under "SearchHeadLevel - Users exceeding the disk quota*"

This App contains quite a many useful reports and alert. Thanx @gjanders for sharing this!

r. Ismo

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...