Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search to find out unused indexes?

kteng2024
Path Finder
‎08-29-2017 10:45 AM

I am looking for indexes which are utilizing only 10%-20% of storage allocated to them. Can i please know is there any query to find out that.I know that we can look into DMC but i specifically need only the indexes that uses only 10%-20% of storage for last 30 days.

0 Karma
Reply

somesoni2
Revered Legend
‎08-29-2017 11:08 AM

How are you planning to decide on what the total storage allocated for an index? An index can go to maximum size as defined in maxTotalDataSizeMB = * The maximum size of an index (in MB) OR based on retention period as defined in frozenTimePeriodInSecs= * Number of seconds after which indexed data rolls to frozen.

0 Karma
Reply

Dey1
New Member
‎09-19-2023 02:49 AM

Can you help with a query to find out which indexs are not used 

0 Karma
Reply

adonio
Ultra Champion
‎08-29-2017 11:05 AM

try this

    | rest /services/data/indexes-extended
    | table title currentDBSizeMB maxTotalDataSizeMB
    | eval percent_full = round(currentDBSizeMB/maxTotalDataSizeMB*100, 2)
     rename COMMENT as "now you can add your where or search clause"
    | where percent_full =<20

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...