I am in need of a query that will list indexes not searched in the last 30 days.
please check the second answer by @ssievert_splunk : https://answers.splunk.com/answers/557131/index-hit-by-searches-in-last-30-days.html
Unless your users explicitly specify index=xxx in their search, you cannot do this since there is no audit log of what indices were implicitly accessed based on a users' permissions.
You can try to workaround this restriction by joining several searches:
Let me know if it helps