Splunk Enterprise Security

How can i do a Future Proof for the indexing?

Communicator

somebody know, how can i do a Future Proof for the indexing?

I need to execute an analysis about the growth of indexing in the time

0 Karma

Motivator

Hi @evinasco,
Looks like you want to see size growth of particular index over the time, below approach may help.

| dbinspect index=_internal 
| stats sum(sizeOnDiskMB) as size 
| eval index_name=_internal 
| collect index=main sourcetype=index_growth

Change the _internal with your index name you want to monitor. Run above query in search bar, click on Save as Alert. Select alert type as "Scheduled", select schedule period from below drop-down based on your requirement. Click Save.
In future whenever you want to see the index growth over time write below query to get the timechart.

index=main sourcetype="index_growth" | timechart avg(size) by index_name

Hope this helps!

0 Karma

SplunkTrust
SplunkTrust

what is the problem you are trying to solve?
are you trying to predict index growth?
do you want to analyze past indexing data?
did you try the | dbinspect command?

0 Karma

Communicator

Hi

my client requested to me to do a document that allows to them to analyze growth in the future for your infraesttuirtuere (Search head, indexers, cpu, memory, disk and license) and how can they execute it.

0 Karma

Motivator

Can you try predict command?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!