Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the total each indexer volume size utilization in the indexer cluster of 10

venugoski
Explorer
‎08-09-2023 12:20 PM

how to get the total each indexer volume size utilization in the indexer cluster of 10.
i have the cluster manager with 10 indexers and like to know is there a way to query from the CM or the dashboard view the volume utilization of each indexer.
we don't have the distribution monitoring console setup yet.
we have 1 SH cluster with 5 SH
1CM
10 indexers
1 deployer to manage SH cluster

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 12:55 AM

Hi

you could found suitable SPL from MC's indexing -> Indexes and Volumes: Deployment dashboard.

Here it is without MC groups. This should work without MC configuration.

| rest  services/data/index-volumes splunk_server=<YOUR INDEXERS HERE with wildcard>
| eval _dmc_volume = if(isnotnull(title), title, 'data.name') 
| where NOT _dmc_volume == "_splunk_summaries" 
| fields - _dmc_volume 
| eval volumeSizeGB = if(total_size > 1, round(total_size / 1024, 2), null()) 
| eval sizeUsagePerc = total_size / max_size * 100 
| stats dc(splunk_server) as Instances count(eval(total_size > 1)) as "Non-Empty Instances" sum(volumeSizeGB) as totalSize avg(volumeSizeGB) as avgSize avg(sizeUsagePerc) as avgSizePerc perc90(sizeUsagePerc) as ninetyPercentileSizePerc count(eval(total_size > max_size)) as volumesFreezingDueToSize by title 
| eval totalSize = if(isnotnull(totalSize), totalSize, 0) 
| eval avgSize = if(isnotnull(avgSize), round(avgSize, 2), 0) 
| eval avgSizePerc = if(isnotnull(avgSizePerc), round(avgSizePerc, 2)."%", "N/A") 
| eval avgSizePerc = if(isnotnull(avgSizePerc), round(avgSizePerc, 2)."%", "N/A") 
| eval ninetyPercentileSizePerc = if(isnotnull(ninetyPercentileSizePerc), round(ninetyPercentileSizePerc, 2)."%", "N/A") 
| eval volumesFreezingDueToSize = if(avgSizePerc != "N/A", volumesFreezingDueToSize, "N/A") 
| rename title as "Volume" totalSize as "Total Size (GB)" avgSize as "Average Size (GB)" avgSizePerc as "Average Usage (%)" ninetyPercentileSizePerc as "90th Percentile Usage (%)" volumesFreezingDueToSize as "Volumes Freezing Due To Size"

I think that you could change this easily to match your actual needs?

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...