Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate the index size from top 10 biggest indexers

myleskennison
Explorer
‎10-16-2021 07:36 AM

Sorry about this lame post. Our Splunk admin had to leave unexpectedly and now it's up to me to do this without any prior knowledge.  I'm trying to figure out how to make a dashboard that displays our biggest indexers out of about 100.  Management wants to know which indexes are ingesting the most data daily and how much.  

 

Any help would be appreciated.  Thank you

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎10-16-2021 10:23 AM

Hi @myleskennison,

In your question, there is confusion about indexes and indexers but I assume you need index sizes.

Please try below on your search head, it will show you total index sizes in megabytes and total event counts per index.

| rest /services/data/indexes 
| stats sum(currentDBSizeMB) as currentDBSizeMB sum(totalEventCount) as totalEventCount by title 
| rename title as index
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2021 08:05 AM

Check the Monitoring Console.  Settings->Monitoring console->Indexing->Indexes and Volumes:Instance.

Other dashboards in the MC may help, too.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

myleskennison
Explorer
‎10-16-2021 08:06 AM

Thanks Rich but I don't have the monitoring console.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2021 09:36 AM

Everyone has the monitoring console.  It's built in to Splunk Enterprise.  The trick may be in finding the right instance where the MC is configured.

A good resource for someone taking over a Splunk deployment is the Inherit a Splunk Deployment manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/InheritedDeployment/Introduction

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...