https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496256#M194641 <P>This may help you:</P> <PRE><CODE>index=_audit action=search search=* sourcetype=audittrail | rex field=search "sourcetype\s*=\s*\"*(?&lt;SourcetypeUsed&gt;[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?&lt;IndexUsed&gt;[^\s\"]+)" | search IndexUsed=* OR SourcetypeUsed=* | fillnull value="NA" IndexUsed SourcetypeUsed| stats count by IndexUsed SourcetypeUsed </CODE></PRE> <P>The count represents a number of searches execution that are using that index/sourcetype.</P> Mon, 27 Jan 2020 12:50:41 GMT p_gurav 2020-01-27T12:50:41Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496253#M194638 <P>I need to know how many time all the indexes in my splunk has been accessed in last 30 days by app name(I tried so many posts but none of the post resolved my issue). can anyone help me to get this fixed.</P> Mon, 27 Jan 2020 12:19:17 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496253#M194638 csharm21 2020-01-27T12:19:17Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496254#M194639 <P>What you mean by "accessed", do you mean how many time somone searched in an index?<BR /> That information can you see in _audit.</P> Mon, 27 Jan 2020 12:21:46 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496254#M194639 broberg 2020-01-27T12:21:46Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496255#M194640 <P>@broberge yes i need to pull detail how many time some one searched the index. if that index has not been searched more then one month, we will do clean up. I tried multiple things using _Audit but still no luck.</P> Mon, 27 Jan 2020 12:24:57 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496255#M194640 csharm21 2020-01-27T12:24:57Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496256#M194641 <P>This may help you:</P> <PRE><CODE>index=_audit action=search search=* sourcetype=audittrail | rex field=search "sourcetype\s*=\s*\"*(?&lt;SourcetypeUsed&gt;[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?&lt;IndexUsed&gt;[^\s\"]+)" | search IndexUsed=* OR SourcetypeUsed=* | fillnull value="NA" IndexUsed SourcetypeUsed| stats count by IndexUsed SourcetypeUsed </CODE></PRE> <P>The count represents a number of searches execution that are using that index/sourcetype.</P> Mon, 27 Jan 2020 12:50:41 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496256#M194641 p_gurav 2020-01-27T12:50:41Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496257#M194642 <P>Thanks p_gurav, this is working. I also need to filter this by application name. would you be able to help on this.</P> Mon, 27 Jan 2020 13:29:39 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496257#M194642 csharm21 2020-01-27T13:29:39Z https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496258#M194643 <P>Based on the comment thread, @p_gurav, you should convert your comment to an answer, so @csharm21 can accept it.<BR /> @csharm21 you should ask that as a separate question, in my humble opinion. Adding the APP to the query, most likely means you're querying _internal also, which would require a lot more work to add in.</P> Mon, 27 Jan 2020 16:11:41 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-know-which-index-and-app-has-been-access-how-many-time/m-p/496258#M194643 efavreau 2020-01-27T16:11:41Z