Solved: Re: How do I combine storage statistics of indexes...

alanzchan · ‎08-20-2018

I can use a rest search from the services/data/indexesendpoint to calculate storage statistics, like the index size in GB, of each index. I would like to combine these storage statistics to a table that has the index, sourcetype, and host. Currently, I'm using this tstats search:

| tstats count where index=* by index sourcetype, host | stats list(host) as Hosts by index sourcetype| rename index as "Index", sourcetype as "Sourcetype(s)"

I don't believe that |rest and |tstats can be used together. Is there a way I can do this only using |tstats? Possibly by using license usage?

Any help is appreciated.

adonio · ‎08-20-2018

something like that:

 | tstats values(sourcetype) as v_st values(host) as hosts where index=* by index
    | append [| rest /services/data/indexes | ... your statistics here ... by title
    | rename title as index]

hope it helps

View solution in original post

adonio · ‎08-20-2018

something like that:

 | tstats values(sourcetype) as v_st values(host) as hosts where index=* by index
    | append [| rest /services/data/indexes | ... your statistics here ... by title
    | rename title as index]

hope it helps

How do I combine storage statistics of indexes with the index, sourcetype, and host?

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control