Index hit by searches in last 30 days



I am doing a clean up process to all of indexes and i need to know who (users) searched the indexes in last 30 days. If there is no search found to any of the index, i am going to apply retention policy on that index to keep minimum data on HOT bucket of that index.

Tried with

index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user 

But this doesn't resulted as index wise.

Could some one let me know how do i use history function to find out if anyone has run searches against the indexes all of indexes in the last 30 days so that i can apply reduction on that.


0 Karma

Splunk Employee
Splunk Employee

Unless your users explicitly specify index=xxx in their search, you cannot do this since there is no audit log of what indices were implicitly accessed based on a users' permissions.
You can remove all "indices searched by default" for all roles, which will force users to have to specify index=xxx in their searches, which in turn will allow you to see what was used from _audit.

0 Karma


Below query will result of each user, their roles, search index allowed and search filter.

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^"), "", "") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^"), "", "") | rename title as IndexesDefault]
| stats values() as * by user
| foreach srch
[eval <> = mvappend(<>, <>) | eval <> = mvfilter(match(<>, "^[^]+$"))]
| fields - Indexes

0 Karma

Splunk Employee
Splunk Employee

Cool search, but it doesn't really tell you which of the permitted indices were actually searched. 🙂

0 Karma