topic Re: How to get Index or Sourcetype not accessed or used by anyone in splunk in Splunk Search

How to get Index or Sourcetype not accessed or used by anyone in splunk

harishsplunk7 — Wed, 26 Feb 2025 04:21:52 GMT

I am want to get the list of Index and sourcetype which is not used by anyone for more than 90 days.

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

kiran_panchavat — Wed, 26 Feb 2025 09:00:22 GMT

@harishsplunk7

Try this, you can change the age value to 7776000 (90days)

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

kiran_panchavat — Wed, 26 Feb 2025 09:01:04 GMT

@harishsplunk7

query for 90 days.

| tstats latest(_time) as lastTime where index=* by index, sourcetype 
| eval age=now()-lastTime 
| where age > 7776000 
| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") 
| table index, sourcetype, lastTime

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

harishsplunk7 — Wed, 26 Feb 2025 17:11:00 GMT

the query is not getting expected result, i was runining for last 90 days but didnt get the result.

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

harishsplunk7 — Mon, 03 Mar 2025 16:05:57 GMT

the query is not getting expected result, I need to get the list of index which is not used by anyone

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

PickleRick — Mon, 03 Mar 2025 18:36:12 GMT

1. Main question - how do you define "not used"?

2. While indexes are discrete "bags" for events, sourcetype is just a label. Yes, it bears a significant meaning for Splunk functionalities but you can even make each event have a separate sourcetype. So why would you want to know what your "unused" sourcetype are?

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

harishsplunk7 — Mon, 03 Mar 2025 18:51:53 GMT

I am listing the index name using rest query and then checking those index name with audit or internal to to find if how many index used, sourcetype used, and HOW Many index not used in splunk.

Also i need to identify which indexes and sourcetypes have not received any data for a period exceeding 90 days.

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

isoutamo — Mon, 03 Mar 2025 19:46:42 GMT

This is quite often asked question when people want know are there unused indexes etc. you could look those by searching with google.
Short answer is you can’t get this kind of list which is 100% accurate. There are so many ways how you can access that data and there is no requirement that users must use index name or sourcetype names on queries.
Of course you can get some estimates and you can get list of indexes and sourcetypes which are used, but there is no way to get list of unused ones!

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

PickleRick — Mon, 03 Mar 2025 20:21:33 GMT

Again - depends on what "unused" means here.

Just listing defined indexes which hadn't received any data - that should be pretty straightforward indeed - check your defined indexes (it might be difficult though if you're on distributed setup and don't have the capability of spawning rest to indexers!) and compare it with a summary of your data across all indexes. (be aware of the difference between _time and _indextime). Be aware though that if you have shorter retention periods than what you're searching through, you might not get valid data.

But that's it. Depending on what you mean by "unused", the rest of the task can be difficult or even impossible.

How is Splunk supposed to know what sourcetypes you might have had defined yesterday and haven't searched for them? Or something like that...

And if you have two or more SH(C)s connecting to the same indexer(s)...

That might get ugly quickly.

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

isoutamo — Mon, 03 Mar 2025 20:31:13 GMT

Of course it depends on what “unused” means and what kind of role you have. I expect that you have admin role which can access all indexes. But as @PickleRick said if your role haven’t access to all indexes or you role haven’t granted capability to use remote rest to indexers then we have one additional issue. Fortunately we have https://splunkbase.splunk.com/app/6368 which help you on those cases, but still there will be other challenges.

Re: How to get Index or Sourcetype not accessed or used by anyone in splunk

harishsplunk7 — Tue, 04 Mar 2025 16:55:07 GMT

I have tried to get the index not used used any KO, but not getting all the details.

| rest /services/data/indexes
| fields index
| eval index=1
[index=_audit| stats count as accessed by index, search ]

| stats sum(accessed) as accessed, values(index) as index by

| fillnull accessed value=0
| where index=1 AND accessed=0

Total Index	Index Not used in Any Knowledge Object	Index has 0 data last 90 days
100	25	10