How to create a search to find out unused indexes?

kteng2024 · ‎08-29-2017

I am looking for indexes which are utilizing only 10%-20% of storage allocated to them. Can i please know is there any query to find out that.I know that we can look into DMC but i specifically need only the indexes that uses only 10%-20% of storage for last 30 days.

somesoni2 · ‎08-29-2017

How are you planning to decide on what the total storage allocated for an index? An index can go to maximum size as defined in maxTotalDataSizeMB = * The maximum size of an index (in MB) OR based on retention period as defined in frozenTimePeriodInSecs= * Number of seconds after which indexed data rolls to frozen.

Dey1 · ‎09-19-2023

Can you help with a query to find out which indexs are not used

adonio · ‎08-29-2017

try this

    | rest /services/data/indexes-extended
    | table title currentDBSizeMB maxTotalDataSizeMB
    | eval percent_full = round(currentDBSizeMB/maxTotalDataSizeMB*100, 2)
     rename COMMENT as "now you can add your where or search clause"
    | where percent_full =<20

hope it helps

How to create a search to find out unused indexes?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

How to create a search to find out unused indexes?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!