Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out unused indexes in DMC?

AbilashSe
Explorer
‎09-03-2017 09:34 PM

Could anyone please help to find out unused indexes in Splunk DMC

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2017 04:19 AM

Hi AbilashSe,
if you want to see unused indexes you could go in [Indexing -- Indexes and Volumes -- Index Detail: Deployment], and see for each Index if it doesn't receive logs for a long time.
If you want a report of last and first event of each index use something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes | table title maxTime minTime

Bye.
Giuseppe

0 Karma
Reply

faisal_mansour
Loves-to-Learn Lots
‎12-07-2022 11:49 PM

Thanks for the query, i developed it to be something usable....

 

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| stats max(maxTime) AS latestEvent BY title
| eval elapsedTime = now() - strptime(latestEvent,"%Y-%m-%dT%H:%M:%S%z"),  daysSince = ceiling(elapsedTime / 86400)
| eval daysSinceLastEvent = case(daysSince<0, -1, daysSince=0, 0, daysSince>0,daysSince)
| eval indexStatus = case(daysSinceLastEvent>730, "Nothing Since 2 years",
                          daysSinceLastEvent<730 AND daysSinceLastEvent>365, "Nothing Since last year", 
                          daysSinceLastEvent<365 AND daysSinceLastEvent>0, "used in last year",
                          daysSinceLastEvent=0, "Till today",
                          daysSinceLastEvent<0, "bad future timestamp")
| fields title latestEvent daysSinceLastEvent indexStatus
Tags (1)
0 Karma
Reply

AbilashSe
Explorer
‎09-04-2017 04:23 AM

Hi Giuseppe,

Thanks for the update..
I would like to get the count of unused indexes.

could you please help me.?

Regards,
Abilash

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2017 04:44 AM

Hi AbilashSe,
when you say "unused indexes", do you mean:

  • indexes without events,
  • indexes with events older than a date (e.g. "2017-09-04 8:00:00")?

in first case

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes
| eval indexSizeGB = if(currentDBSizeMB >= 1 AND totalEventCount >=1, currentDBSizeMB/1024, null())
| stats  sum(indexSizeGB) AS totalSize BY title 
| where totalSize=0
| table title

In the second case run something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| eval 
     time_limit=strptime("2017-09-04 8:00:00","%Y-%m-%d %H:%M:%S"),
     maxTime=strptime(time_limit,"%Y-%m-%dT%H:%M:%S")
| where maxTime<time_limit
| table title maxTime minTime

Bye.
Giuseppe

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-03-2017 11:02 PM

unused indexes meaning, indexes that didnt receive data for how long? or never received any data at all?!?! (empty index)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

AbilashSe
Explorer
‎09-03-2017 11:04 PM

Indexes which didn't receive data for long time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...