Splunk Dev

can i find out how big an index is?

HattrickNZ
Motivator

e.g. index = X index = y

can I find out how big index x and y are? maybe the value in bytes?
Can you do some deduction by getting the sizeof a record and the number of events per day and ... calculate a figure that way?

Tags (1)
0 Karma

acharlieh
Influencer

I can tell you exactly how large those indexes are in terms of on disk, and raw size of the events with help of the dbinspect command.

Make sure your time window is set to all time and execute this:

| dbinspect index=X index=Y | stats sum(sizeOnDiskMB) sum(rawSize) by index | rename sum(*) -> *

That will give you the MB on disk for all buckets of each index, as well as the rawSize of the events in the index as well.

Is this what you're looking for?

ddrillic
Ultra Champion

I compared the output of -

stats sum(sizeOnDiskMB)

at 24.144531 MBs

versus

du -ks *

which shows -
$ du -ks *
4 colddb
160 datamodel_summary
24804 db
120 summary
4 thaweddb

Fairly close.

0 Karma

HattrickNZ
Motivator

tried replacing the stats with timechart span=d but getting no results. Can I do this or do I have to use bucket.

like what you done with rename

0 Karma

acharlieh
Influencer

The question is what is your goal that you need timechart? Are you trying to figure out daily license usage or something? (If so try searching on your license master for index=_internal type=Usage (idx=X or idx=Y) | timechart span=1d sum(b) by idx or something similar if you have to account for multiple Splunk servers) alternatively if you're looking for change in actual disk use, then you'd likely take the search in the answer and do summary indexing on that data. But if you're running into the limits of disk as set into indexes.conf, that might not be as interesting.

0 Karma

MuS
Legend

dbinspect only has information about the startEpoch and endEpoch for each bucket in this index. timechart needs a _time field to chart it - so either rename any if the epoch fields which is useful for you or use chart sum(sizeOnDiskMB) sum(rawSize) over startEpoch by index.

Maybe this will be useful ?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...