Solved: How do I combine storage statistics of indexes wit...

alanzchan · ‎08-20-2018

I can use a rest search from the services/data/indexesendpoint to calculate storage statistics, like the index size in GB, of each index. I would like to combine these storage statistics to a table that has the index, sourcetype, and host. Currently, I'm using this tstats search:

| tstats count where index=* by index sourcetype, host | stats list(host) as Hosts by index sourcetype| rename index as "Index", sourcetype as "Sourcetype(s)"

I don't believe that |rest and |tstats can be used together. Is there a way I can do this only using |tstats? Possibly by using license usage?

Any help is appreciated.

adonio · ‎08-20-2018

something like that:

 | tstats values(sourcetype) as v_st values(host) as hosts where index=* by index
    | append [| rest /services/data/indexes | ... your statistics here ... by title
    | rename title as index]

hope it helps

View solution in original post

adonio · ‎08-20-2018

something like that:

 | tstats values(sourcetype) as v_st values(host) as hosts where index=* by index
    | append [| rest /services/data/indexes | ... your statistics here ... by title
    | rename title as index]

hope it helps

How do I combine storage statistics of indexes with the index, sourcetype, and host?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)