Created
June 21, 2017 20:02
-
-
Save automine/591f7af85e3921dd8deca89552043480 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head | |
| | search acceleration="1" | |
| | table title eai:appName eai:userName splunk_server | |
| | rename eai:appName AS name| eval myDatamodel="DM_" . name . "_" . title | |
| |map maxsearches=50 search="|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server |rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel|eval sizeGB=round(size/1024/1024/1024,2) | eval retention_period = retention_period/86400 |fields - size | lookup dmc_assets serverName AS splunk_server OUTPUT search_group | rex field=search_group "dmc_searchheadclustergroup_(?<cluster_guid>.*)" | eval search_head_cluster=coalesce(cluster_guid, splunk_server) | stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) AS retention_period by datamodel search_head_cluster | table datamodel app splunk_servers search_head_cluster retention_period sizeGB | sort - sizeGB | eval search_head_cluster=if(splunk_servers==search_head_cluster,"None",search_head_cluster) | |
| | rename datamodel as "Data Model" app AS "App" "splunk_servers" as "Search Head(s)" search_head_cluster AS "Search Head Cluster" retention_period AS "Retention Period (days)" sizeGB AS "Usage (GB)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment