Hi, I have an use case in which I need to assess the storage difference of the index. Like for example, I have an index which has around 100.15 GB of data in it with Searchable Retention Days as 1095 Days. Now, if I reduce the Searchable Retention Days to let's say 365 Days, then what would be the approximate storage utilization on the Index. I need to output these results onto a tabular form on a dashboard for the same. Please assist me on this. Thank you in advance.   ... View more

Hi, I'm exploring a way to get the search results for the name of Indexes, who created those indexes and creation date. So far I have got the DDAS Retention Days, DDAS Index Size, DDAA Retention Days, DDAA Usage, along with the Earliest and Latest Event Dates. I'm trying with the owner of the indexes but am not getting the desired results. The search query I've been using is given below: | rest splunk_server=local /servicesNS/-/-/data/indexes | rename title as indexName, owner as creator | append [ search index=summary source="splunk-storage-detail" (host="*.personalsplunktesting.*" OR host=*.splunk*.*) | fillnull rawSizeGB value=0 | eval rawSizeGB=round(rawSizeBytes/1024/1024/1024,2) | rename idxName as indexName ] | append [ search index=summary source="splunk-ddaa-detail" (host="*.personalsplunktesting.*" OR host=*.splunk*.*) | eval archiveUsage=round(archiveUsage,2) | rename idxName as indexName ] | stats latest(retentionDays) as "Searchable Storage (DDAS) Retention Days", latest(rawSizeGB) as "Searchable Storage (DDAS) Index Size GB", max(archiver.coldStorageRetentionPeriod) as "Archive Storage (DDAA) Retention Days", latest(archiveUsage) as "Archive Storage (DDAA) Usage GB", latest(ninetyDayArchived) as "Archived GB Last 90 Days", latest(ninetyDayExpired) as "Expired GB Last 90 Days" by indexName | append [ | tstats earliest(_time) as earliestTime latest(_time) as latestTime where index=* by index | eval earliest_event=strftime(earliestTime, "%Y-%m-%d %H:%M:%S"), latest_event=strftime(latestTime, "%Y-%m-%d %H:%M:%S") | rename index as indexName | fields indexName earliest_event latest_event ] | stats values("Searchable Storage (DDAS) Retention Days") as "Searchable Storage (DDAS) Retention Days", values("Searchable Storage (DDAS) Index Size GB") as "Searchable Storage (DDAS) Index Size GB", values("Archive Storage (DDAA) Retention Days") as "Archive Storage (DDAA) Retention Days", values("Archive Storage (DDAA) Usage GB") as "Archive Storage (DDAA) Usage GB", values(earliest_event) as "Earliest Event", values(latest_event) as "Latest Event", values(creator) as "Creator" by indexName Please can anyone help me on this? Thanks in advance!   ... View more

Hi, I recently tried creating a private app on Splunk Cloud, the app is getting created successfully, but it does not show nor display in the list of apps which are on the Splunk Cloud. I tried to create the app using both barebones and sample_app as a template with different App IDs but it didn't work, however the app is getting created and there's no error being displayed for the same, also I kept the visibility as yes. Please can someone assist me on this? Thanks! ... View more