Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing index sizes on 2 dates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been asked to create an alert that looks at the index sizes (all indexes) for today, and compare them to the sizes as they were one week ago. I know I can get the index sizes for the last 7 days with
index=_introspection component=Indexes | eval data.total_size = 'data.total_size' / 1024 | timechart span=1d max("data.total_size") by data.name
However, how can I compare the sizes of each index, 1 by 1, between today and 7 days ago.
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tsheets13,
Try this:
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| where today > sevendaysago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tsheets13,
Try this:
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| where today > sevendaysago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's perfect. I am not sure why you singled out indexes with the name of device and syslogs, but after I removed that, I got what I want. Now if you don't mind helping me take it just a step further. I need to alert if the difference between today and sevendaysago are greater than 20% on any given index and report that index and difference. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was checking this query on test data on my machine. You can calculate difference and check if it is greater than 20% of index size 7 days ago. Check this.
index=_introspection component=Indexes earliest=-1d@d latest=@d
| eval field="today"
| append
[ search index=_introspection component=Indexes earliest=-8d@d latest=-7d@d
| eval field="sevendaysago"]
| eval total_size = 'data.total_size'/1024
| stats max(total_size) as total_size by data.name, field
| xyseries data.name field total_size
| eval difference = today - sevendaysago
| where difference > sevendaysago*20/100
Please accept and upvote answer if this helps you:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly what I needed, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome.
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
Splunk Answers Content Calendar, July Edition I
