Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

can i find out how big an index is?

HattrickNZ
Motivator
‎04-05-2016 06:55 PM

e.g. index = X index = y

can I find out how big index x and y are? maybe the value in bytes?
Can you do some deduction by getting the sizeof a record and the number of events per day and ... calculate a figure that way?

Tags (1)
0 Karma
Reply

acharlieh
Influencer
‎04-05-2016 07:25 PM

I can tell you exactly how large those indexes are in terms of on disk, and raw size of the events with help of the dbinspect command.

Make sure your time window is set to all time and execute this: 

| dbinspect index=X index=Y | stats sum(sizeOnDiskMB) sum(rawSize) by index | rename sum(*) -> *

That will give you the MB on disk for all buckets of each index, as well as the rawSize of the events in the index as well.

Is this what you're looking for?

Reply

ddrillic
Ultra Champion
‎04-06-2016 07:56 AM

I compared the output of -

stats sum(sizeOnDiskMB)

at 24.144531 MBs

versus

du -ks *

which shows -
$ du -ks *
4 colddb
160 datamodel_summary
24804 db
120 summary
4 thaweddb

Fairly close.

0 Karma
Reply

HattrickNZ
Motivator
‎04-05-2016 07:37 PM

tried replacing the stats with timechart span=d but getting no results. Can I do this or do I have to use bucket.

like what you done with rename

0 Karma
Reply

acharlieh
Influencer
‎04-05-2016 10:59 PM

The question is what is your goal that you need timechart? Are you trying to figure out daily license usage or something? (If so try searching on your license master for index=_internal type=Usage (idx=X or idx=Y) | timechart span=1d sum(b) by idx or something similar if you have to account for multiple Splunk servers) alternatively if you're looking for change in actual disk use, then you'd likely take the search in the answer and do summary indexing on that data. But if you're running into the limits of disk as set into indexes.conf, that might not be as interesting.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-05-2016 07:51 PM

dbinspect only has information about the startEpoch and endEpoch for each bucket in this index. timechart needs a _time field to chart it - so either rename any if the epoch fields which is useful for you or use chart sum(sizeOnDiskMB) sum(rawSize) over startEpoch by index.

Maybe this will be useful ?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...