Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out unused indexes in DMC?

AbilashSe
Explorer
‎09-03-2017 09:34 PM

Could anyone please help to find out unused indexes in Splunk DMC

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2017 04:19 AM

Hi AbilashSe,
if you want to see unused indexes you could go in [Indexing -- Indexes and Volumes -- Index Detail: Deployment], and see for each Index if it doesn't receive logs for a long time.
If you want a report of last and first event of each index use something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes | table title maxTime minTime

Bye.
Giuseppe

0 Karma
Reply

faisal_mansour
Loves-to-Learn Lots
‎12-07-2022 11:49 PM

Thanks for the query, i developed it to be something usable....

 

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| stats max(maxTime) AS latestEvent BY title
| eval elapsedTime = now() - strptime(latestEvent,"%Y-%m-%dT%H:%M:%S%z"),  daysSince = ceiling(elapsedTime / 86400)
| eval daysSinceLastEvent = case(daysSince<0, -1, daysSince=0, 0, daysSince>0,daysSince)
| eval indexStatus = case(daysSinceLastEvent>730, "Nothing Since 2 years",
                          daysSinceLastEvent<730 AND daysSinceLastEvent>365, "Nothing Since last year", 
                          daysSinceLastEvent<365 AND daysSinceLastEvent>0, "used in last year",
                          daysSinceLastEvent=0, "Till today",
                          daysSinceLastEvent<0, "bad future timestamp")
| fields title latestEvent daysSinceLastEvent indexStatus
Tags (1)
0 Karma
Reply

AbilashSe
Explorer
‎09-04-2017 04:23 AM

Hi Giuseppe,

Thanks for the update..
I would like to get the count of unused indexes.

could you please help me.?

Regards,
Abilash

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2017 04:44 AM

Hi AbilashSe,
when you say "unused indexes", do you mean:

  • indexes without events,
  • indexes with events older than a date (e.g. "2017-09-04 8:00:00")?

in first case

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes
| eval indexSizeGB = if(currentDBSizeMB >= 1 AND totalEventCount >=1, currentDBSizeMB/1024, null())
| stats  sum(indexSizeGB) AS totalSize BY title 
| where totalSize=0
| table title

In the second case run something like this

| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes 
| eval 
     time_limit=strptime("2017-09-04 8:00:00","%Y-%m-%d %H:%M:%S"),
     maxTime=strptime(time_limit,"%Y-%m-%dT%H:%M:%S")
| where maxTime<time_limit
| table title maxTime minTime

Bye.
Giuseppe

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-03-2017 11:02 PM

unused indexes meaning, indexes that didnt receive data for how long? or never received any data at all?!?! (empty index)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

AbilashSe
Explorer
‎09-03-2017 11:04 PM

Indexes which didn't receive data for long time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...