Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from the panel, and the value are same, i copy it on excel like this one.

Did you check the results which the initial rest command yields?

as i know, the result is same

this /cold part

OK. This is indeed interesting.

The search behind this panel uses the /services/server/status/partitions-space REST endpoint.

This endpoint, according to docs, returns four values.

- capacity

- free

- fs_type

- mount_point

(along with some "standard" fields like title, author, id and eai stuff)

But the actual data returned by the call also includes a field called "available". And in my case the "available" field indeed shows the free space on the filesystem. The "free" field (again - in my case) contains some value completely unrelated to anything.

But the search behind the MC panel uses the field "available" if it's included in the data. If it's not included, it uses the "free" field.

Check the results of

| rest splunk_server=<your indexer> /services/server/status/partitions-space
| fields - eai* id author published updated title

And see if the data makes sense.  I suspect you're not getting the "available" field and your "free" field contains some bonkers value.

EDIT: Posted a feedback to the docs page describing this REST endpoint

Hi

at least some older splunk versions (e.g. 7.3.x) there was (probably) bug which leads this kind of behavior when you are using REST with a increased storage areas like increased filesystem. The fix was restart splunkd.

r. Ismo

but the restart process already done and it still show same value