https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711386#M21623 <P>So we are starting a new project soon, and basically our boss is personally sending me an index (not internal) to investigate.</P><P><BR />Investigate as far as as far as usage. We are trying to optimize the env and cut whats not being used, or checking to see what is being overused. KO'S, data intake, etc.</P><P><BR />Any good practices, processes or tips you can lend? this would be the most perfect learning opportunity. Im excited, but nervous.</P> Wed, 12 Feb 2025 16:39:44 GMT Kenny_splunk 2025-02-12T16:39:44Z https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711386#M21623 <P>So we are starting a new project soon, and basically our boss is personally sending me an index (not internal) to investigate.</P><P><BR />Investigate as far as as far as usage. We are trying to optimize the env and cut whats not being used, or checking to see what is being overused. KO'S, data intake, etc.</P><P><BR />Any good practices, processes or tips you can lend? this would be the most perfect learning opportunity. Im excited, but nervous.</P> Wed, 12 Feb 2025 16:39:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711386#M21623 Kenny_splunk 2025-02-12T16:39:44Z https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711393#M21624 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266305">@Kenny_splunk</a>&nbsp;</P><P>Use the tstats command to track index usage over time. This will help you identify peaks and patterns in data usage.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1739378932220.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34467iB7AC7E72FC5CE147/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1739378932220.png" alt="kiran_panchavat_0-1739378932220.png" /></span></P><UL><LI>Review and adjust your index retention policies to ensure that data is stored only for as long as needed. This can help reduce storage costs.</LI><LI>Review saved searches and reports to ensure they are still relevant and being used. Disable or delete those that are not needed.</LI><LI>Optimize your searches by using efficient search commands and avoiding unnecessary subsearches. Use summary indexing and data models for faster results.</LI></UL><H4><STRONG>Index Usage Over Time:</STRONG></H4><DIV><DIV>&nbsp;</DIV></DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_1-1739379010286.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34468i134539AB7C2ADC2E/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_1-1739379010286.png" alt="kiran_panchavat_1-1739379010286.png" /></span></P><P>&nbsp;</P> Wed, 12 Feb 2025 16:51:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711393#M21624 kiran_panchavat 2025-02-12T16:51:24Z https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711394#M21625 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266305">@Kenny_splunk</a>&nbsp;</P><UL><LI>Find sourcetypes that are consuming a lot of data, especially unnecessary logs</LI><LI>Reduce retention or delete them if they are no longer needed.</LI><LI>If multiple indexes contain similar data, consolidate where possible.</LI></UL><P>&nbsp;</P> Wed, 12 Feb 2025 16:55:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711394#M21625 kiran_panchavat 2025-02-12T16:55:54Z https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711418#M21629 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266305">@Kenny_splunk</a>&nbsp;</P><P>I think the best place to start here is by checking the _audit index to see who is using/searching aginst the index in question...</P><P>Start off with the following query and take it from there:</P><LI-CODE lang="markup">index=_audit search="*&lt;yourIndexName&gt;*" info=completed action=search</LI-CODE><P>Its important to remember, however, than some people might search for index=* in order to access a particular index, which might not come up in the above search. They might also use something like win* instead of win_events.&nbsp;<BR />People can use index="yourName", index=yourName, index IN (yourName,anotherName) etc etc which is why I included the wildcards either side for the above sample query. You might want to tune to your environment etc as you see fit!</P><P>In these logs you should find a number of useful fields, such as "search" (what they ran) and "user" (Who ran it) amonst other things llike event_count and result_count.</P><P>Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.<BR />Regards</P><P>Will</P> Wed, 12 Feb 2025 21:37:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-investigation/m-p/711418#M21629 livehybrid 2025-02-12T21:37:31Z