Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determining the total storage space a user's search artifacts are occupying (and calculating the time a search expires)

BernardEAI
Communicator
‎09-01-2021 01:47 AM

I'm working on calculating the storage space taken up by a specific user. I would like to calculate the total size of their search artifacts at any given time - we would like to see if they are hitting their storage limits regularly. This will indicate we need to increase the storage limit.

I'm running this search to get the jobs for a specific user:

| rest /services/search/jobs | search author=<user>

The next thing to do would be to calculate the size of all jobs that have not expired yet. I can get the life of the search (ttl field) and when the search started (published field), and a sum of those should give the time the search expires. However, if I check the "Jobs" report, the "Expires" field does not correspond to what I calculate. There must be some additional factor involved in the calculation of the "Expired" field..?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BernardEAI
Communicator
‎09-01-2021 02:30 AM

It turns out the Expired time is calculated by adding the ttl to start time of the search, plus the search duration. The search duration is the time the search takes to complete and display on screen. If there are many results and fields (as is the case with this search) the time to display on screen is significant. Therefor the Expired time is a bit more than:

search start + search duration + ttl

In any case, I discovered that I do not need to calculate size of the searches that have not expired yet, because only searches that have not expired yet are returned with the search:

| rest /services/search/jobs | search author=<user>

 So I can just total the diskUsage field to get the total size of search artifacts for that user.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BernardEAI
Communicator
‎09-01-2021 02:30 AM

It turns out the Expired time is calculated by adding the ttl to start time of the search, plus the search duration. The search duration is the time the search takes to complete and display on screen. If there are many results and fields (as is the case with this search) the time to display on screen is significant. Therefor the Expired time is a bit more than:

search start + search duration + ttl

In any case, I discovered that I do not need to calculate size of the searches that have not expired yet, because only searches that have not expired yet are returned with the search:

| rest /services/search/jobs | search author=<user>

 So I can just total the diskUsage field to get the total size of search artifacts for that user.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2021 02:32 AM
Time by time splunk returned also those rows which has ttl = 0 (which has expired). That is quite short period, but this can mix up your calculations.
0 Karma
Reply
Solved! Jump to solution

BernardEAI
Communicator
‎09-01-2021 03:19 AM

Thanks @isoutamo 

I have tested this a bit and I do not get any searches that has ttl = 0. Maybe I just haven't encountered that case yet in my testing.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2021 02:28 AM

Hi

If I looked those fields correctly, then ttl field directly told to you how much time the query results are available. So you could do something like

 

| rest /services/search/jobs
| fields author diskUsage ttl
| where ttl > 0
| stats count sum(diskUsage) as diskUsage by author

 

r. Ismo 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...