Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index growth in last 7 days

surekhasplunk
Communicator
‎11-18-2019 03:10 AM

Hi,

Using below query now i am showing the trend of growth of one particular index for last 7 days.
index=_introspection (host=indexername) sourcetype=splunk_disk_objects component=Indexes
| rename data.* AS * | search name=assets | eval totalindexsize=total_size+datamodel_summary_size
| eval totalindexsize_GB=(totalindexsize/1024)
| fillnull value=0 totalindexsize_GB
| bin span=1d _time
| stats avg(totalindexsize_GB) AS Total_Index_Size(GB) by host,name,_time
| convert timeformat="%d-%m-%Y" ctime(_time) AS date
| rename name as IndexName
| table date, host, IndexName, Total_Index_Size(GB) | sort - Total_Index_Size(GB)

But my management wants to see growth of top 5 indexes which grew drastically.
how to achieve that. That too using the line graph

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-18-2019 03:48 AM

Hi @surekhasplunk,
did you explored the dashboards in Monitoring Console?
Anyway, try something like this:

index=_introspection sourcetype=splunk_disk_objects component=Indexes [ search 
     index=_introspection sourcetype=splunk_disk_objects component=Indexes 
     | stats avg(data.total_size) AS data.total_size BY data.name
     | sort - data.total_size
     | head 5
     | fields data.name ] 
| timechart span=1d avg(data.total_size) AS Total_Index_Size(GB) by data.name

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-18-2019 03:48 AM

Hi @surekhasplunk,
did you explored the dashboards in Monitoring Console?
Anyway, try something like this:

index=_introspection sourcetype=splunk_disk_objects component=Indexes [ search 
     index=_introspection sourcetype=splunk_disk_objects component=Indexes 
     | stats avg(data.total_size) AS data.total_size BY data.name
     | sort - data.total_size
     | head 5
     | fields data.name ] 
| timechart span=1d avg(data.total_size) AS Total_Index_Size(GB) by data.name

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎11-18-2019 04:47 AM

Thanks for this @gcusello,

But is there any way where i can show in the same query the difference of data between each day and sort via difference so that then its very clear that which particular index grew abnormally.
Hope am clear in what i am trying to say.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...