Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Comparing index sizes on 2 dates

tsheets13
Communicator
‎03-04-2020 10:52 AM

I have been asked to create an alert that looks at the index sizes (all indexes) for today, and compare them to the sizes as they were one week ago. I know I can get the index sizes for the last 7 days with

 index=_introspection component=Indexes | eval data.total_size = 'data.total_size' / 1024 | timechart span=1d max("data.total_size") by data.name

However, how can I compare the sizes of each index, 1 by 1, between today and 7 days ago.

Thanks for the help.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2020 11:46 AM

Hi @tsheets13,

Try this:

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| where today > sevendaysago
0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-04-2020 12:33 PM

That's perfect. I am not sure why you singled out indexes with the name of device and syslogs, but after I removed that, I got what I want. Now if you don't mind helping me take it just a step further. I need to alert if the difference between today and sevendaysago are greater than 20% on any given index and report that index and difference. Thanks

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-04-2020 03:58 PM

I was checking this query on test data on my machine. You can calculate difference and check if it is greater than 20% of index size 7 days ago. Check this.

index=_introspection component=Indexes earliest=-1d@d latest=@d 
| eval field="today" 
| append 
    [ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d 
    | eval field="sevendaysago"] 
| eval total_size = 'data.total_size'/1024 
| stats max(total_size) as total_size by data.name, field 
| xyseries data.name field total_size 
| eval difference = today - sevendaysago 
| where difference > sevendaysago*20/100

Please accept and upvote answer if this helps you:)

0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎03-05-2020 06:14 AM

exactly what I needed, thank you!

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-06-2020 12:16 AM

you're welcome.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...