Splunk Cloud Platform

indexes list as a table

sarit_s
Communicator

Hello

How can i get the information shown in settings->indexes in a table ?
I know there is a rest command but i can't find it
What i need is the index name and current size

 

Thanks

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

most of those you will get with this query

 

| rest /services/data/indexes splunk_server=local
| join title splunk_server type=outer [| rest splunk_server=local /services/data/indexes-extended/]
| table title datatype eai:acl.app currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime homePath coldToFrozenDir disabled

 

This works on single node system. When you have cluster you need to modify this to get e.g. oldest and latest correctly and you will get more than one entry per index.

r. Ismo

0 Karma

sarit_s
Communicator

Hello

Thanks for your reply

The problem is that it returns '1' in the current size column for all the indexes

I'm using Splunk cloud if it change something and also i have a indexer cluster

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Sorry, there was typo after my test on join rest call. Now it's fixed on above query.

0 Karma

sarit_s
Communicator

still the same

currentDBSizeMB is '1' for all indexes

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Which kind of environment you have? Distributed with several indexers/indexer cluster? As I said this works without modifications only on single (all in one) node environment. I haven't distributed environment on my hand to modify this to work with it.

| rest /services/data/indexes splunk_server=local
| join title splunk_server type=outer [| rest splunk_server=local /services/data/indexes-extended/]
| table title datatype eai:acl.app currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime homePath coldToFrozenDir disabled

Gives to me like this

isoutamo_0-1688375545299.png

and lot of another indexes with different currentDBSizeMB.

With indexer cluster this is probably something like

| rest /services/data/indexes splunk_server=<YOUR INDEXERS> 
| join title splunk_server type=outer 
    [| rest splunk_server=<YOUR INDEXERS> /services/data/indexes-extended/] 
| rename eai:acl.app as app 
| stats values(app) as app values(datatype) as datatype max(currentDBSizeMB) as currentDBSizeMB max(maxTotalDataSizeMB) as maxTotalDataSizeMB max(totalEventCount) as totalEventCount min(minTime) as minTime max(maxTime) as maxTime values(homePath) as homePath values(coldToFrozenDir) as coldToFrozenDir max(disabled) as disabled by title
| table title datatype app currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime homePath coldToFrozenDir disabled
0 Karma

sarit_s
Communicator

as i mentioned, im using Splunk cloud with indexer cluster

Also the second query returns 1 for all

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Sorry, I missed that SplunkCloud part. In SC you cannot do rest queries to indexers as you haven't that capability. There are some information on summary index, but at leas I cannot find anything with helps you.

I afraid that you can't do that part on SC.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...