Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing index sizes on 2 dates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been asked to create an alert that looks at the index sizes (all indexes) for today, and compare them to the sizes as they were one week ago. I know I can get the index sizes for the last 7 days with
index=_introspection component=Indexes | eval data.total_size = 'data.total_size' / 1024 | timechart span=1d max("data.total_size") by data.name
However, how can I compare the sizes of each index, 1 by 1, between today and 7 days ago.
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tsheets13,
Try this:
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| where today > sevendaysago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tsheets13,
Try this:
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| where today > sevendaysago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's perfect. I am not sure why you singled out indexes with the name of device and syslogs, but after I removed that, I got what I want. Now if you don't mind helping me take it just a step further. I need to alert if the difference between today and sevendaysago are greater than 20% on any given index and report that index and difference. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was checking this query on test data on my machine. You can calculate difference and check if it is greater than 20% of index size 7 days ago. Check this.
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| eval difference = today - sevendaysago
| where difference > sevendaysago*20/100
Please accept and upvote answer if this helps you:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly what I needed, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
