Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

List of indexes not referenced in the last 30 days

sumaitasiddiky
New Member
‎05-04-2020 01:43 AM

I am in need of a query that will list indexes not searched in the last 30 days.

Tags (1)
0 Karma
Reply

PavelP
Motivator
‎05-04-2020 03:15 AM

Hello @sumaitasiddiky

please check the second answer by @ssievert_splunk : https://answers.splunk.com/answers/557131/index-hit-by-searches-in-last-30-days.html

Unless your users explicitly specify index=xxx in their search, you cannot do this since there is no audit log of what indices were implicitly accessed based on a users' permissions.

You can try to workaround this restriction by joining several searches:

  • searches with indexes from audit log
  • searches with sourcetype or source -> map to indexes
  • other searches -> run them and get references index(es)

Let me know if it helps

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...