https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/573470#M199841 <P>Regarding indexes which are not being used, a simple adaptation of the example already posted yields a count of searches by index. I did this over 30 days as a quick example:</P><P class="lia-indent-padding-left-30px">index=_audit action=search user!=splunk-system-user search=* "index"<BR />| rex "search index=\"(?&lt;unused_index_search&gt;\w+)"<BR />| stats count by unused_index_search<BR />| sort - count</P><P>This can then be used to compare to a list of indexes and simply lookup count. An extension could be to use a lookup in conjunction but this is simple.</P><P>As mentioned already, always check with the client and end users before removing anything.</P><P>&nbsp;</P> Wed, 03 Nov 2021 12:00:33 GMT NullZero 2021-11-03T12:00:33Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271302#M81669 <P>Is there a way to determine what sources and/or sourcetypes AREN'T being searched? If data is coming into Splunk and nobody is really looking at that data, then I don't need to keep bringing it in. I just want to find a way to determine this. </P> Mon, 14 Dec 2015 15:09:00 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271302#M81669 a212830 2015-12-14T15:09:00Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271303#M81670 <P>This is what I would do for sourcetypes:</P> <PRE><CODE>index=_audit action=search user=* search=* "sourcetype" | fields user, search | rex field=search max_match=0 "sourcetype\s*=\s*(?&lt;st_used&gt;[\w\d_]+)" | stats count by user, st_used | sort limit=0 st_used </CODE></PRE> <P>You can probably use something similar for indexes or sources.</P> <P>Thanks,<BR /> J</P> Mon, 14 Dec 2015 15:46:46 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271303#M81670 javiergn 2015-12-14T15:46:46Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271304#M81671 <P>It will not really show you all the data that are being searches implicitly, but will give you an idea of what is searched the most explicitly.</P> <UL> <LI><P>explicit searches :</P> <P>sourcetype=A<BR /> NOT sourcetype=B</P></LI> <LI><P>implicit searches :</P> <P>sourcetype=*<BR /> index=B *</P></LI> </UL> Mon, 14 Dec 2015 17:16:57 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/271304#M81671 yannK 2015-12-14T17:16:57Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/573470#M199841 <P>Regarding indexes which are not being used, a simple adaptation of the example already posted yields a count of searches by index. I did this over 30 days as a quick example:</P><P class="lia-indent-padding-left-30px">index=_audit action=search user!=splunk-system-user search=* "index"<BR />| rex "search index=\"(?&lt;unused_index_search&gt;\w+)"<BR />| stats count by unused_index_search<BR />| sort - count</P><P>This can then be used to compare to a list of indexes and simply lookup count. An extension could be to use a lookup in conjunction but this is simple.</P><P>As mentioned already, always check with the client and end users before removing anything.</P><P>&nbsp;</P> Wed, 03 Nov 2021 12:00:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-search-for-indexes-sources-that-aren-t-being-used/m-p/573470#M199841 NullZero 2021-11-03T12:00:33Z