Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing index sizes on 2 dates

tsheets13
Communicator
‎03-04-2020 10:52 AM

I have been asked to create an alert that looks at the index sizes (all indexes) for today, and compare them to the sizes as they were one week ago. I know I can get the index sizes for the last 7 days with

 index=_introspection component=Indexes | eval data.total_size = 'data.total_size' / 1024 | timechart span=1d max("data.total_size") by data.name

However, how can I compare the sizes of each index, 1 by 1, between today and 7 days ago.

Thanks for the help.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago
0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-04-2020 12:33 PM

That's perfect. I am not sure why you singled out indexes with the name of device and syslogs, but after I removed that, I got what I want. Now if you don't mind helping me take it just a step further. I need to alert if the difference between today and sevendaysago are greater than 20% on any given index and report that index and difference. Thanks

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-04-2020 03:58 PM

I was checking this query on test data on my machine. You can calculate difference and check if it is greater than 20% of index size 7 days ago. Check this.

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| eval difference = today - sevendaysago 
| where difference > sevendaysago*20/100

Please accept and upvote answer if this helps you:)

0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-05-2020 06:14 AM

exactly what I needed, thank you!

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-06-2020 12:16 AM

you're welcome.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...