This dashboard will use REST API endpoints to grab a list of all indexes and then map out by sourcetype how many events when the first one was (based upon _time) and the last. Then does basic date math to show how long of a period that is as retention (though it does not show […]
List of index available to your role
|
1 |
|tstats count WHERE index=* OR index=_ BY index |
Don’t forget time modifier is required
Use REST to gather Index Info
Here is some SPL to get useful information via REST on indexes within your Splunk environment:
|
1 2 3 4 5 |
| REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, "commas") | eval totalEventCount=tostring(totalEventCount, "commas") | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount |
List of Indexes
This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal indexes.
|
1 |
host=* | dedup index |table index |
