I found an answer here on the Splunk forums that shows a good search to list the current size of indexes as they sit on disk.. I would now like to associate these numbers with the MB size restrictions i have configured in indexes.conf per index..
Does anyone know of a good search that would produce theses values?
Going forward it would be helpful if you add a link to the other answer you found, or put the search you want to upgrade in your question.
I'd suggest you create a csv with two columns: index and max_size
Then use lookup GUI interface to create a lookup table and definition with this data (indexsize.csv and indexsize). You can then use the lookup command to get the max_size from the table and link it with your search. Like so:
| eventcount summarize=false reportsize=true index=*
| eval MB = sizebytes / 1024 / 1024
| lookup indexsize index OUTPUT maxsize
This will then append the column "max_size" from your file to your results.
Hope this helps
OK - I suppose i was originally hoping that I could pull the configuration values out rather than maintaining an the index sizes in both indexes.conf and a lookup csv. But, i guess it is what it is. Thanks for the help.
Well... you could write a script that monitors your indexes.conf, and aggregates the max_sizes for you and then gets indexed in say main. Then you could simply search against that data rather than maintaining a lookup.
Or you could write a script that writes your lookup csv and runs automatically on a schedule, therefore removing the need for manual intervention.
There may be a way of doing it out of the box, it just escapes me. There are people far more knowledgable than me on here though, and one of them might take a look at your question and chime in with a brilliant answer 🙂
"|btool indexes" definitely was the way to go. This is really what i was looking for.
| btool indexes | rex mode=sed "s/\r?\n/--BREAKER--/g" | rex field=_raw "(?<firstline>.+?)--BREAKER--(?<otherlines>.*)$" | eval otherlines=split(otherlines, "--BREAKER--") | rex field=firstline ".*?\s+\[(?<indexname>.+)\]$" | rex field=otherlines "(?<a>\S+)\s+(?<b>[^=]+)=(?<c>.*)" max_match=1 | eval fields=mvzip(a,mvzip(b,c)) | mvexpand fields | rex field=fields "^(?<filename>[^,]+),(?<k>[^,]+),(?<v>.*)" | table filename,k,v,sos_server,indexname | where k like "%maxTotalDataSizeMB%"
Very cool. Didn't realize the btool function was available at search time. Thought it was just a CLI thing. Glad you found the answer 🙂