Splunk Search
Highlighted

How to find the size of each of the data model in our environment via Splunk search or REST API?

I'm trying to estimate the storage used by all the data models in our environment. Is there a way to find the size of each of the data models using a Splunk search or a Rest call.

0 Karma
Highlighted

Re: How to find the size of each of the data model in our environment via Splunk search or REST API?

I was able to use the below query to show the size of all the datamodels which are accelerated.

|rest servicesNS/-/-/data/models
| search acceleration="1"
| table title eai:appName eai:userName
| rename eai:appName AS name| eval myDatamodel="DM" . name . "" . title
|map search="|rest /servicesNS/nobody/-/admin/summarization/tstats:$myDatamodel$ splunk_server=local"|table eai:acl.app,eai:acl.owner, summary.id, summary.size|rename eai:acl.app as app eai:acl.owner as owner summary.size as size summary.id as datamodel|eval sizeMB=round(size/1000000,2)|fields - size|addcoltotals sizeMB

View solution in original post

Highlighted

Re: How to find the size of each of the data model in our environment via Splunk search or REST API?

Explorer

Great search!

For anyone that tries to run it but gets a warning message about the search result count exceeding the maximum (10), include 'maxsearches= within the map command. Example would be:

| map search=" | rest /servicesNS/nobody/-/admin/summarization/tstats:$myDatamodel$ splunk_server=local" maxsearches=30

0 Karma