Splunk search for Detailed information on Indexes

Copy
| rest /services/data/indexes | eval indexSize=tostring(round(currentDBSizeMB/1024,2), "commas"), events=tostring(totalEventCount, "commas"), daysRetention=frozenTimePeriodInSecs/60/60/24 | foreach *Time [ | eval <<FIELD>>=strptime(<<FIELD>>,"%Y-%m-%dT%H:%M:%S%Z"), <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | fillnull value="n/a" | table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime | rename title as "Index Name", splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)", daysRetention as "Retention Period in Days", events as "Count of events", maxTime as "Most Recent Event", minTime as "Earliest Event"
This search will provide detailed information on all Indexes within Splunk. The search will yield the name of the Index, the number of events currently found within the index, the retention period of the index, the current size of the index on disk, the timestamp of the most recent event in the index and the timestamp of the earliest event in the index.
0 comments

Category:

REST


Tags:


Search Commands:

Sign in or Register to submit a comment