Dashboard to measure Indexes and Sourcetypes, based upon first and last date of events

This dashboard will use REST API endpoints to grab a list of all indexes and then map out by sourcetype how many events when the first one was (based upon _time) and the last. Then does basic date math to show how long of a period that is as retention (though it does not show the configured retention information.)

<form version="1.1" theme="dark">
<label>Splunk Indexesv2</label>
  <search id="base">
        <query> <!-- Grab all the indexes -->
          | rest /servicesNS/-/-/data/indexes|rename "title" as index 
          | search (index!=_* AND index!="cim_*") 
          | stats count by index
        </query>
      </search>
  <search id="massive">
    <query> 
    <!-- If on an enterprise system with lots of data, this should be migrated to a schedule report, and replacing this block with a loadjob -->
    <!-- May have to tinker with the maxsearches=500, play with it based upon your data size, though 500 should be plenty large for most organizations -->
      | rest /services/data/indexes | dedup title | fields title | rename title AS index  
	    | map maxsearches=500 search="| metadata type=sourcetypes index=\"$$index$$\" 
		  | eval Retention=tostring(abs(lastTime-firstTime), \"duration\") 
		  | convert ctime(firstTime) ctime(lastTime) 
		  | sort lastTime 
		  | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" 
		  | eval index=\"$$index$$\"" 
		  | fields index  sourcetype TotalEvents FirstEvent LastEvent Retention
		  | sort sourcetype
		  | stats list(sourcetype) AS SourceTypes list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event"  list(LastEvent) AS "Last Event" list(Retention) AS Retention by index
		  | append [| rest /services/data/indexes | dedup title | fields title | rename title AS index]
		  | dedup index | fillnull value=null SourceTypes TotalEvents "First Event" "Last Event" Retention | sort index
		</query>
  </search>
  <fieldset submitButton="true" autoRun="true">
    <input type="multiselect" token="index_selected">
      <label>Select Index</label>
      <search base="base">
      <!-- Uses the base search only, so leave this alone -->
      </search>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>index=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
    <input type="multiselect" token="sourcetype_selected">
      <label>Select SouceType(s)</label>
      <choice value="*">All</choice>
      <search>
        <query>| metadata type=sourcetypes $index_selected$ | rename sourcetype as SourceType | stats count by SourceType</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>SourceType</fieldForLabel>
      <fieldForValue>SourceType</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <initialValue>*</initialValue>
      <valuePrefix>SourceTypes=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="massive">
          <query>
          | search $index_selected$ $sourcetype_selected$
          </query>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="TotalEvents">
          <!-- Color code any datasets with no data as red -->
          <colorPalette type="map">{"null":"#FF0000"}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>
Share This:

Leave A Comment?