Splunk Search

How to calculate the index size from top 10 biggest indexers

myleskennison
Explorer

Sorry about this lame post. Our Splunk admin had to leave unexpectedly and now it's up to me to do this without any prior knowledge.  I'm trying to figure out how to make a dashboard that displays our biggest indexers out of about 100.  Management wants to know which indexes are ingesting the most data daily and how much.  

 

Any help would be appreciated.  Thank you

Labels (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @myleskennison,

In your question, there is confusion about indexes and indexers but I assume you need index sizes.

Please try below on your search head, it will show you total index sizes in megabytes and total event counts per index.

| rest /services/data/indexes 
| stats sum(currentDBSizeMB) as currentDBSizeMB sum(totalEventCount) as totalEventCount by title 
| rename title as index
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check the Monitoring Console.  Settings->Monitoring console->Indexing->Indexes and Volumes:Instance.

Other dashboards in the MC may help, too.

---
If this reply helps you, Karma would be appreciated.
0 Karma

myleskennison
Explorer

Thanks Rich but I don't have the monitoring console.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Everyone has the monitoring console.  It's built in to Splunk Enterprise.  The trick may be in finding the right instance where the MC is configured.

A good resource for someone taking over a Splunk deployment is the Inherit a Splunk Deployment manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/InheritedDeployment/Introduction

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...