Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to create a search that will bring back indexes that have 0 bytes ingested over the last 30 days

NanSplk01
Communicator
4 weeks ago

| rest splunk_server=* /services/data/indexes
| fields title currentDBSizeMB lastIngestTime
| eval Bytes = round(coalesce(currentDBSizeMB, 0) * 1024 * 1024, 0)
| where Bytes = 0 AND NOT match(title, "^_")
| eval Source="REST"
| rename title as "Index"
| table Index Bytes Source
| append [
| dbinspect index=* summarize=t
| stats sum(rawSize) as Bytes by index
| eval Bytes = coalesce(Bytes, 0)
| where Bytes = 0 AND NOT match(index, "^_")
| eval Source="dbinspect"
| rename index as "Index"
| table Index Bytes Source
]
| dedup Index

 

All I get is one index instead of all of them.

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
4 weeks ago

@NanSplk01 
Minor tweak to @gcusello  given to fetch all indexes.

 

| tstats count WHERE index=* earliest=-30d latest=now BY index
| append [
| rest splunk_server=* /services/data/indexes count=0
| rename title AS index
| eval count=0
| fields index count
]
| stats sum(count) AS total BY index
| where total=0 AND NOT match(index,"^_")

 


Also as alternative, you can try directly from the metrics logs as well.

 

index=_internal source=*metrics.log group=per_index_thruput earliest=-30d@d latest=now
| stats sum(kb) as total_kb by series
| eval total_bytes = total_kb * 1024
| where total_bytes=0
| rename series as index
| table index total_bytes

 

 

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

NanSplk01
Communicator
3 weeks ago

Unfortunately neither brought back only those indexes that were just zero, it brought back all indexes and they were all counted as zero.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

1. Technical remark - please use a code block or preformated paragraph to paste your SPL code - it makes it easier to read and prevents it from losing formatting.

2.When I run it on my environment the only 0-bytes index I get is a disabled index. Even indexes which have no real data in them have some non-zero size (low, but still non-zero).

 

Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @NanSplk01 ,

please try something like this:

| tstats count WHERE index=* earliest=-30d latest=now BY index
| append [ 
     | rest splunk_server=* /services/data/indexes
     | search index!="_*"
     | rename title AS index
     | eval count=0
     | fields index count
     ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...