topic Re: splunk in Splunk Search

How to find which indexes are used?

Siddharthnegi — Wed, 17 Jan 2024 12:36:54 GMT

I have a simple question how can I check that in which of the apps a particular index has been used.

Re: splunk

ITWhisperer — Wed, 17 Jan 2024 09:01:01 GMT

Simply look at the source of all your dashboards, reports, alerts, macros, etc. to see if the index is used.

Re: splunk

isoutamo — Wed, 17 Jan 2024 10:06:49 GMT

unfortunately there haven't (at least i didn't know) any way to get this list for 100%. There are so many way how used index can be defined for queries. @ITWhisperer already list some of those, but if there is used index=xy* or index=* or if the index is not mentioned on SPL query or macro or event types then splunk will use what has defined for user's role (or combined roles) as default search index.

Basically you could get some list for used indexes, but don't trust that it contains all, unless it contains all indexes what you have defined on your system 😉

r. Ismo

Re: splunk

PickleRick — Wed, 17 Jan 2024 12:39:20 GMT

There is no 100% reliable way. There are some common cases which can be covered but you can only detect some typical cases where the indexes are specified explicitly. I can think of so many ways of specifying indexes dynamically (even generating index names randomly) that you can't find it automaticaly.

But the question is why do you even need that.

Re: How to find which indexes are used?

SinghK — Wed, 17 Jan 2024 12:44:25 GMT

there is no easy way of doing it but check the macros an app uses and then in that macro normally there is a search which points to an index. settings-->advanced search-->search macros and there you can find the index being used by app.

Re: splunk

nckncklogrhythm — Mon, 02 Mar 2026 19:56:18 GMT

"But the question is why do you even need that."

In a large, complex environment, with sprawl over time and lack-luster documentation, I am finding that teams are reaching out to us (splunk admins) to track down the use of "their" index; what reports are referencing it, dashboards, usage (both access and ingest to it) and so on.

This is an audit-type thought exercise that I think warrants valid inquiry and investigation. Knowing this information can provide insights in several arenas, including budgeting, permissions, necessity, efficiency and more. I am replying here in the hopes that splunk developers see this, or that the community has a bit further input.

Re: splunk

PickleRick — Tue, 03 Mar 2026 22:49:55 GMT

Yes, I've seen only too many times. But the thing is that it's a symptom of not well-enough defined processed and "undermanaged" environment. Ingest to specific indexes should be covered by proper onboarding process and it should be documented. Searching from an index generally should be covered by roles and therefore users' access.

Checking dashboards/reports is a task which might give you false feeling of completness.

Let me give you an example.

You have a dashboard. The dashboard uses a base search

`interesting_indexes` | stats count by host

The "interesting_indexes" macro is defined with an app and resoves to "index IN (firewall,hips)".

So far so good.

But a particular user redefined this macro privately to say "eventtype=windows_logoff". How are you supposed to know that this particular dashboard works differently for that user?