Solved: Re: How to calculate the index size from all index...

adityapavan18 · ‎10-14-2013

Is there a way to calculate total size of an index from all indexers?
I can see index size from each individual indexer but i have around 30 indexers in the setup i am working on..so ideally wouldn't work if go and check index size in each indexer individually

alacercogitatus · ‎10-14-2013

Building on MuS' answer, you can do each indexer from a single search head. This will require SoS to be installed ( http://apps.splunk.com/app/748/ ).

Each of these calls should be really quick, so the number of search-peers will increase execution time, but not as badly as if you were doing a data search.

You can also adjust the stats do whatever you need, | stats sum(currentDBSizeMB) by title.

View solution in original post

alacercogitatus · ‎10-14-2013

Building on MuS' answer, you can do each indexer from a single search head. This will require SoS to be installed ( http://apps.splunk.com/app/748/ ).

Each of these calls should be really quick, so the number of search-peers will increase execution time, but not as badly as if you were doing a data search.

You can also adjust the stats do whatever you need, | stats sum(currentDBSizeMB) by title.

MuS · ‎04-05-2021

Just came along this old post, happy to give some karma to an old friend

😊

dtrelford · ‎10-22-2018

SoS is discontinued and no longer supported. Is there an alternative query that can be run now?

My apologies if I should have posted this in a new question.

gjanders · ‎10-22-2018

| rest /services/data/indexes |  stats sum(currentDBSizeMB) by title splunk_server

The above might do it, you can use the REST API or use the monitoring console. The monitoring console has a variety of queries that do this which you can borrow by clicking on the magnifying glass (it replaces SoS)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

alacercogitatus · ‎10-14-2013

You can even summarize this (with |collect index=summary) and then do data capacity planning!

adityapavan18 · ‎10-14-2013

Thanx a lot...I do have S.o.S installed..and running this query provided me the data i require

MHibbin · ‎10-14-2013

The eventcount command may be what you need:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Eventcount

Haven't tried it against multiple indexers however.

This command requires a "|" before the command to run.

Hope this helps.

MHibbin · ‎10-14-2013

@adityapavan18, again I'm not sure, as I only one indexer to play around with at the moment, but perhaps the following, seems odd to me that it has the server field if it is localized to one server...

| eventcount summarize=false index=* report_size=true | eval MB=(size_bytes/1024)/1024 | stats sum(MB) by index, server

aokur_splunk · ‎02-08-2019

worked for me - thanks MHibbin

mendesjo · ‎02-22-2016

Nope doesn't work..

adityapavan18 · ‎10-14-2013

this helps only for a particular indexer.Not sure how we use for multiple indexers

MuS · ‎10-14-2013

Hi adityapavan18

one way would be to use the REST endpoint /services/data/indexes for that, but this must be done against each indexer. Personally I would setup a summarized saved search on each indexer which runs the following search:

     | rest /services/data/indexes | stats values(currentDBSizeMB) by title

This way you will be able to get the index size for each indexer with one single search afterwards.

hope this helps ...

cheers, MuS

awurster · ‎02-08-2015

this is way better, as anything that requires the 3rd party app like SOS is not a clean one IMHO. i think more and more of these weird little tasks must be phased out and worked into core splunk (via REST API for instance or DMC moving forward.

adityapavan18 · ‎10-14-2013

Thanx MuS.

mendesjo · ‎02-22-2016

| rest /services/data/indexes | stats values(currentDBSizeMB) by title

That only provides data of index per indexer, it's not added up.. How would you sum it?

MuS · ‎10-17-2017

Quick and dirty solution is to run this:

 | rest /services/data/indexes | where totalEventCount!=0 | stats values(currentDBSizeMB) AS size by title | streamstats sum(size) AS total

sowings · ‎10-17-2017

Note that currentDBsizeMB is 1 for an index with no events. Might want to filter out those where totalEventCount=0

MuS · ‎10-17-2017

Good point, I changed the search - thanks 😉

Rocky31 · ‎06-05-2019

what you changed? paste it here plz

Muryoutaisuu · ‎06-29-2016

why not just use | stats sum(currentDBSizeMB) by title

instead of values?

How to calculate the index size from all indexers

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?