Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard to check index filled or not.

vxroot
Loves-to-Learn
‎01-02-2022 09:47 PM

Hello guys, Splunk newbie here.

 

Hope someone can assist in my case, 

so index=*_whatever is expected to be filled with data in monthly basis, I want to create a dashboard that tracks whether which indexes are filled and which that are not so I can keep track and check which ones are empty and which ones are filled.

Thank you!!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-03-2022 12:30 AM

Hi

There are lot of already done Apps for this issue. Here is some links for those

Slackbot  17:08
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/

r. Ismo

Reply

SinghK
Builder
‎01-02-2022 11:31 PM

|rest /services/data/indexes/|fields title maxTotalDataSizeMB currentDBSizeMB
|eval indexStatus = if(currentDBSizeMB>1, "Data", "Empty")

Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-02-2022 10:11 PM

Hi @vxroot ... this can be done in multiple ways.. 

metadata command can be simple and less cpu/memory intensive command, than counting manually with your style of command. 

 

let us know your how your dashboard preparation steps, you can try to include both styles and try to see which one suits you. thanks. 

0 Karma
Reply

vxroot
Loves-to-Learn
‎01-02-2022 10:28 PM

I'm just looking to create a simple table that has two columns first column as Index_Name and second column that should have a checkmark or a cross where checkmark = index is filled and cross = index not filled. Can replace check mark and cross with Yes / No instead too, is that possible? 

 

0 Karma
Reply

SinghK
Builder
‎01-02-2022 09:50 PM

index=* |stats count by index should do the trick.

0 Karma
Reply

vxroot
Loves-to-Learn
‎01-02-2022 10:03 PM

Unfortunately that does not work, thanks though. 

0 Karma
Reply

SinghK
Builder
‎01-02-2022 11:20 PM

|rest /services/data/indexes/|table title maxTotalDataSizeMB currentDBSizeMB 

 

this will show all indexes and allocated size and used size. let me know if this works for you and if you need help modifying search.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...