Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing index sizes on 2 dates

tsheets13
Communicator
‎03-04-2020 10:52 AM

I have been asked to create an alert that looks at the index sizes (all indexes) for today, and compare them to the sizes as they were one week ago. I know I can get the index sizes for the last 7 days with

 index=_introspection component=Indexes | eval data.total_size = 'data.total_size' / 1024 | timechart span=1d max("data.total_size") by data.name

However, how can I compare the sizes of each index, 1 by 1, between today and 7 days ago.

Thanks for the help.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago
0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-04-2020 12:33 PM

That's perfect. I am not sure why you singled out indexes with the name of device and syslogs, but after I removed that, I got what I want. Now if you don't mind helping me take it just a step further. I need to alert if the difference between today and sevendaysago are greater than 20% on any given index and report that index and difference. Thanks

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-04-2020 03:58 PM

I was checking this query on test data on my machine. You can calculate difference and check if it is greater than 20% of index size 7 days ago. Check this.

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| eval difference = today - sevendaysago 
| where difference > sevendaysago*20/100

Please accept and upvote answer if this helps you:)

0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-05-2020 06:14 AM

exactly what I needed, thank you!

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-06-2020 12:16 AM

you're welcome.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...