Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get total disk quota usage of a user OR role?

claudiaG
Engager
‎05-22-2023 05:52 AM

Hello all,

since we can set the setting "srchDiskQuota" for each role in the authorize.conf I would like to know if there is a way to find out how much of the provided disk size has been really used by a specific role or user? 

I want to make sure to not reach the srchDiskQuota limit soon.

Until now I couldnt find anything like this within the monitoring console.

Thanks for a short feedback would be really appreciated.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 01:37 AM

Hi

this is not a easy task 😞

If I have understood right that information has written to _introspection per user per search process. So there is no direct way to get it by role. You could get this information by 

index=_introspection "data.search_props.role"=head data.written_mb>0 sourcetype=splunk_resource_usage "data.search_props.user"=<user account id>

I don't know how this is handling the already removed search files on disk? Those old search results are removed time by time from disk which decrease quota usage.

Anyhow you should look all users on individual role and then count those together.

There are examples for this on user level on splunkbase app Alerts For Splunk Admins. Those can found under "SearchHeadLevel - Users exceeding the disk quota*"

This App contains quite a many useful reports and alert. Thanx @gjanders for sharing this!

r. Ismo

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...