Splunk Search

Help identifying fast growing indexes

jwpoore
New Member

Hi fellow Splunkers.

I am the Splunk admin at my org, however that is mainly more from the Infrastructure side of things so when it comes to actually using Splunk I am a novice. I would like to change this but one thing at a time, Splunk is only one of my problems ;).

We've got 4 Indexers, 2 in each DC. Up until last week these there pretty consistent with each other in terms of growth although now one site is growing about 30GB per day quicker than the other. This isn't a big deal, but I'd like to know why.

Can someone help me with a search which shows growth per day vs the previous day? Or have any tips to help me try and narrow down what's actually growing faster than normal.

Appreciate any help you can offer.

0 Karma
1 Solution

MattibergB
Path Finder

Hi,

You could use something like the following:

  index=_internal earliest=-2d@d latest=-0d@d
    source=/opt/splunk/var/log/splunk/license_usage.log* 
| eval gb=round(b/1024/1024/1024,2)
|bin span=1d _time
| stats sum(gb) as gb by idx _time
| sort by idx

it will show the gb per index per day, you can change the earliest to find older data.
You could add splunk_server to stats sum(gb) as gb by idx _time splunk_server
Then you can see the difference between your servers.

View solution in original post

0 Karma

MattibergB
Path Finder

Hi,

You could use something like the following:

  index=_internal earliest=-2d@d latest=-0d@d
    source=/opt/splunk/var/log/splunk/license_usage.log* 
| eval gb=round(b/1024/1024/1024,2)
|bin span=1d _time
| stats sum(gb) as gb by idx _time
| sort by idx

it will show the gb per index per day, you can change the earliest to find older data.
You could add splunk_server to stats sum(gb) as gb by idx _time splunk_server
Then you can see the difference between your servers.

0 Karma

adonio
Ultra Champion
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe the Monitoring Console has dashboards that show index growth over time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...