https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667102#M9798 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262095">@ZombieT</a>&nbsp;,</P><P>the best way is the Monitoring Console in which you have all the information about all Indexes, but if they are hundreds it will not be so easy to read!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 02 Nov 2023 08:16:00 GMT gcusello 2023-11-02T08:16:00Z https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667083#M9795 <P>Hello, I am fairly familiar to spunk, but I do need to improve on indexes. I am currently working on a new client environment and they have a large amount of indexes within splunk, however some of them are inactive.&nbsp;</P><P>A couple of question:</P><P>&gt;How can I determine if an index is active/connected properly</P><P>&gt;is there an easier way to show the above; for example if there's 100 indexes how can I find out which are still active in a graph or a more visual view.&nbsp;</P><P>Hope it makes sense. Thank you in advance for any advice.&nbsp;</P> Thu, 02 Nov 2023 04:49:10 GMT https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667083#M9795 ZombieT 2023-11-02T04:49:10Z https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667097#M9796 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262095">@ZombieT</a>,</P><P>if you have to advice your customer about indexes, remember always that an index is a silos that contains all kind of events with the same retention time and the same access grants: an index isn't a database table; you define data characteristics using sourcetype, not index.</P><P>Anyway, you can know if an index is used, and if not, when it was used for the last time running a search like this:</P><LI-CODE lang="markup">| eventcount summarize=false index=* | dedup index </LI-CODE><P>or better</P><LI-CODE lang="markup">| tstats count latest(_time) AS latest WHERE index=* BY index | append [ | eventcount summarize=false index=* | dedup index | eval count=0 | fields index count ] | stats sum(count) AS total values(latest) AS latest BY index | eval latest =strftime(latest,"%Y-%m-%d %H:%M:%S"), status=if(total=0,"No events","Last event at ".latest) | table index status</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 02 Nov 2023 07:26:53 GMT https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667097#M9796 gcusello 2023-11-02T07:26:53Z https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667100#M9797 <P>Great response, mille grazie Giuseppe;</P><P>&nbsp;</P><P>On the back of that if say the client asks to show them a simpler way for example a gui way, how do I go about checking that; thank you in advance.&nbsp;</P> Thu, 02 Nov 2023 08:07:51 GMT https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667100#M9797 ZombieT 2023-11-02T08:07:51Z https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667102#M9798 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262095">@ZombieT</a>&nbsp;,</P><P>the best way is the Monitoring Console in which you have all the information about all Indexes, but if they are hundreds it will not be so easy to read!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 02 Nov 2023 08:16:00 GMT https://community.splunk.com/t5/Knowledge-Management/Spunk-indexes/m-p/667102#M9798 gcusello 2023-11-02T08:16:00Z