Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to create a search that will bring back indexes that have 0 bytes ingested over the last 30 days

NanSplk01
Communicator
Wednesday

| rest splunk_server=* /services/data/indexes
| fields title currentDBSizeMB lastIngestTime
| eval Bytes = round(coalesce(currentDBSizeMB, 0) * 1024 * 1024, 0)
| where Bytes = 0 AND NOT match(title, "^_")
| eval Source="REST"
| rename title as "Index"
| table Index Bytes Source
| append [
| dbinspect index=* summarize=t
| stats sum(rawSize) as Bytes by index
| eval Bytes = coalesce(Bytes, 0)
| where Bytes = 0 AND NOT match(index, "^_")
| eval Source="dbinspect"
| rename index as "Index"
| table Index Bytes Source
]
| dedup Index

 

All I get is one index instead of all of them.

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
Thursday

@NanSplk01 
Minor tweak to @gcusello  given to fetch all indexes.

 

| tstats count WHERE index=* earliest=-30d latest=now BY index
| append [
| rest splunk_server=* /services/data/indexes count=0
| rename title AS index
| eval count=0
| fields index count
]
| stats sum(count) AS total BY index
| where total=0 AND NOT match(index,"^_")

 


Also as alternative, you can try directly from the metrics logs as well.

 

index=_internal source=*metrics.log group=per_index_thruput earliest=-30d@d latest=now
| stats sum(kb) as total_kb by series
| eval total_bytes = total_kb * 1024
| where total_bytes=0
| rename series as index
| table index total_bytes

 

 

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

PickleRick
SplunkTrust
SplunkTrust
Thursday

1. Technical remark - please use a code block or preformated paragraph to paste your SPL code - it makes it easier to read and prevents it from losing formatting.

2.When I run it on my environment the only 0-bytes index I get is a disabled index. Even indexes which have no real data in them have some non-zero size (low, but still non-zero).

 

Reply

gcusello
SplunkTrust
SplunkTrust
Wednesday

Hi @NanSplk01 ,

please try something like this:

| tstats count WHERE index=* earliest=-30d latest=now BY index
| append [ 
     | rest splunk_server=* /services/data/indexes
     | search index!="_*"
     | rename title AS index
     | eval count=0
     | fields index count
     ]
| stats sum(count) AS total BY index
| where total=0

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...