Splunk Search

How to edit my search to find the number of retention days (frozenTimePeriodInSecs/86400) for a specific index?

sai_kumar_bolla
New Member

I have the following search to calculate the RetentionDays of all the indexes in a cluster, but I'm unable to fetch the RetentionDays of the specific index name out of the results which has returned by the below search.

| rest/services/data/indexes splunk_server="*-splunkp*" | stats max(eval(round(frozenTimePeriodInSecs/86400))) as RetentionDays by title | rename title as index

This search returns multiple indexes and for an instance, I need only book_core from the search. How do I filter it?

0 Karma

somesoni2
Revered Legend

Try like this

| rest/services/data/indexes splunk_server="-splunkp" | search title="book_core" | stats max(eval(round(frozenTimePeriodInSecs/86400))) as RetentionDays by title | rename title as index

sai_kumar_bolla
New Member

Great!!. It worked and thanks!!

0 Karma

acharlieh
Influencer

Depending on your number of indexes and goals, you may want to consider

| rest /services/data/indexes/book_core splunk_server="*-splunkp*" | stats ...

instead of filtering with search. As /data/indexes will only return 30 indexes per server, unless you tweak the count parameter, but then you could be getting back much more data than you wanted/needed from each indexer.

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...