Hello

Thanks for your reply

The problem is that it returns '1' in the current size column for all the indexes

I'm using Splunk cloud if it change something and also i have a indexer cluster

Sorry, there was typo after my test on join rest call. Now it's fixed on above query.

still the same

currentDBSizeMB is '1' for all indexes

Which kind of environment you have? Distributed with several indexers/indexer cluster? As I said this works without modifications only on single (all in one) node environment. I haven't distributed environment on my hand to modify this to work with it.

| rest /services/data/indexes splunk_server=local
| join title splunk_server type=outer [| rest splunk_server=local /services/data/indexes-extended/]
| table title datatype eai:acl.app currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime homePath coldToFrozenDir disabled

Gives to me like this

and lot of another indexes with different currentDBSizeMB.

With indexer cluster this is probably something like

| rest /services/data/indexes splunk_server=<YOUR INDEXERS> 
| join title splunk_server type=outer 
    [| rest splunk_server=<YOUR INDEXERS> /services/data/indexes-extended/] 
| rename eai:acl.app as app 
| stats values(app) as app values(datatype) as datatype max(currentDBSizeMB) as currentDBSizeMB max(maxTotalDataSizeMB) as maxTotalDataSizeMB max(totalEventCount) as totalEventCount min(minTime) as minTime max(maxTime) as maxTime values(homePath) as homePath values(coldToFrozenDir) as coldToFrozenDir max(disabled) as disabled by title
| table title datatype app currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime homePath coldToFrozenDir disabled

as i mentioned, im using Splunk cloud with indexer cluster

Also the second query returns 1 for all

Sorry, I missed that SplunkCloud part. In SC you cannot do rest queries to indexers as you haven't that capability. There are some information on summary index, but at leas I cannot find anything with helps you.

I afraid that you can't do that part on SC.