topic List of newly created indexes in splunk in the last 30 days in Splunk Search

List of newly created indexes in splunk in the last 30 days

sumaitasiddiky — Wed, 30 Sep 2020 05:07:18 GMT

I need a list of indexes that are newly created in the last 30 days and need the creation date of those indexes.

I have used this query :

| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(minTime) as first_date first(now) as now first(currentDBSizeMB) as currentDBSizeMB by title
| eval comparison_date=now()-30*86400 | sort - first_date | eval first_date=strptime(first_date,"%Y-%m-%dT%H:%M:%S.%6N") | eval status=if(first_date

Re: List of newly created indexes in splunk in the last 30 days

MaverickT — Wed, 22 Apr 2020 11:26:03 GMT

What about this search query?

index=_audit action=indexes_edit operation=create

Re: List of newly created indexes in splunk in the last 30 days

martin_mueller — Wed, 22 Apr 2020 14:11:58 GMT

This should only tell you about indexes created via API / UI, not about indexes created via conf files (most common case in real-world environments with a separate indexing tier). Those don't have an easily accessible creation date.

Re: List of newly created indexes in splunk in the last 30 days

martin_mueller — Wed, 22 Apr 2020 14:13:31 GMT

You could maintain such a list in a lookup, amend the lookup with a scheduled search using that REST call every day to add a creation date to a first-seen lookup, and then use that lookup to filter for last 30 days or whatever time range you need.

https://www.splunk.com/en_us/blog/tips-and-tricks/maintaining-state-of-the-union.html

Re: List of newly created indexes in splunk in the last 30 days

charlesmeo — Thu, 23 Apr 2020 00:02:34 GMT

I believe this problem has wider ramifications. Please have a look at Splunk Ideas, for a proposal to integrate Splunk with Source Code Control: https://ideas.splunk.com/ideas/E-I-7

This would address this problem and many others. SCC would maintain all your modification dates and revision history. You can furthermore splunk a git repo as well as the git metadata, to report both the available facts and the current code.

Because Splunk supports so many disparate ways to update your configuration--which is code when it comes right down to it--this has always been a problem. In the field there are many ingenious and occasionally really scary home-made solutions, which you have to have, or mature Splunk installations sooner or later become unmanageable.

If you support the notion of source code control integration for Splunk, please vote for the idea so it gets more traction.
Charles