I am doing a clean up process to all of indexes and i need to know who (users) searched the indexes in last 30 days. If there is no search found to any of the index, i am going to apply retention policy on that index to keep minimum data on HOT bucket of that index.
index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user
But this doesn't resulted as index wise.
Could some one let me know how do i use history function to find out if anyone has run searches against the indexes all of indexes in the last 30 days so that i can apply reduction on that.
Unless your users explicitly specify index=xxx in their search, you cannot do this since there is no audit log of what indices were implicitly accessed based on a users' permissions.
You can remove all "indices searched by default" for all roles, which will force users to have to specify index=xxx in their searches, which in turn will allow you to see what was used from _audit.
Below query will result of each user, their roles, search index allowed and search filter.
| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^"), "", "") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^"), "", "") | rename title as IndexesDefault]
| stats values() as * by user
| foreach srch [eval <
| fields - Indexes