By Splunk July 27, 2012
In my last post, I talked about a way to use PowerShell to ease the installation of our Splunk App for VMware. This time, we’ll be using PowerShell in a much different way. As you might already know, the Splunk dev team has made a very robust set of REST API hooks for the product. What you may not know is that this enabled some other talented guys to build a PowerShell module which you can use not only to get data into and out of Splunk, but also to manage your Splunk infrastructure.
Now in my case, I have a goal in mind. I want to answer this question:
How much disk space is being consumed by indexes?
In my lab environment, I have one search head, and two indexers. It’s quite easy to find out the index size if you are running a single-server setup. Details about the indexes are easy to find in the Splunk manager web UI. But in a distributed environment, the indexers don’t have splunkweb turned on. You do have other options, particularly if you have server access. You can either go to the filesystem and look at space consumption that way, or you could execute a splunk CLI command to get the index settings.
But frankly, most of these methods are very Unixy (not that there’s anything wrong with that), even when running Splunk on Windows! I know my way around Unix fairly well, but at heart, I’m a Windows guy. I want to be able to solve my problems using Windows PowerShell, because that’s the tool that I’m most comfortable with.
In case you haven’t already done so, go grab the latest version of the Splunk PowerShell Resource Kit. Once you’ve got that installed, you’ll be able to follow along with my examples below.
Step one: Retrieve index objects
PS> $cred = Get-Credential PS> $idx = 'bd-idx-01.bd.splunk.com', 'bd-idx-02.bd.splunk.com' PS> $idx | Foreach-Object { Get-SplunkIndex -ComputerName $_ -Cred $cred }
And the (trimmed) output from the last line looks like this:
ComputerName Name ------------ ---- bd-idx-01.bd.splunk.com _audit bd-idx-01.bd.splunk.com _blocksignature bd-idx-02.bd.splunk.com _audit bd-idx-02.bd.splunk.com _blocksignature
Step two: Examine the output
Now that’s great, but where is the size? Remember—everything in PowerShell is an object. Let’s use the Get-Member cmdlet to examine the output from the Get-SplunkIndex cmdlet:
PS> $indexes = $idx | % { Get-SplunkIndex -ComputerName $_ -Cred $cred }
PS> $indexes | Get-Member -Name *size*
TypeName: Splunk.SDK.Index
Name MemberType Definition
---- ---------- ----------
blockSignSize NoteProperty System.Int32 blockSignSize=0
currentDBSizeMB NoteProperty System.Int32 currentDBSizeMB=79
maxDataSize NoteProperty System.String maxDataSize=auto
maxTotalDataSizeMB NoteProperty System.Int32 maxTotalDataSizeMB=500000
rawChunkSizeBytes NoteProperty System.String rawChunkSizeBytes=131072
First, I’m grabbing all the indexes and assigning them to the variable “$indexes”, because I’m going to be manipulating them a bit more as we continue. Next, that variable gets piped to Get-Member, which spits out tons of stuff. Because my goal is to look at index size, I decided to filter what Get-Member would return to show only those members which have the word “size” in the name.
Step three: Output
Looks like “currentDBSizeMB” is what I need, let’s put that into a nice table!
PS> $indexes | Select-Object -First 2 | Format-Table Name, currentDBSizeMB -AutoSize Name currentDBSizeMB ---- --------------- _audit 79 _blocksignature 1
Step four: Working with an index object
Before I leave you, let’s do something a bit more useful. Here are my top 10 indexes by size, grouped by indexer.
PS> $indexes | Sort-Object -Property currentDBSizeMB -Descending | Select-Object -First 10 | Sort-Object -Property ComputerName | Format-Table -GroupBy ComputerName Name, currentDBSizeMB -AutoSize ComputerName: bd-idx-01.bd.splunk.com Name currentDBSizeMB ---- --------------- servervirt_perf 5913 xenapp_perfmon 3865 _internal 2573 cisco_ucs_perf 5921 main 19895 perfmon 10120 hyperv_perfmon 7255 ComputerName: bd-idx-02.bd.splunk.com Name currentDBSizeMB ---- --------------- xenapp_perfmon 2531 cisco_ucs_perf 5775 servervirt_perf 4413
One of my favorite things about PowerShell is the pipeline. Funny how a line of code in PowerShell looks pretty similar to a Splunk search command!
If you’d like to learn more about the PowerShell Resource Kit, be sure to read the README which has links to tons of resources. Also, I interviewed Brandon Shell a bit ago about the project on the PowerScripting Podcast episode 165.
----------------------------------------------------
Thanks!
Hal Rottenberg