I would like to get a list of all views and/or searches that use a specific index. Can I do this using a splunk search?
In principle you could use the
rest (core Splunk) or
splunkentity (SideviewUtils) commands to load saved searches, and perform calculations based on their search string - for example, looking for
However, I don't think that's an easy-to-answer question, even for a human looking at the searches.
Take a search that doesn't specify an index as an example, that will search whatever indexes are set as default for the user's role so whether it does search your specific index or not depends on the user executing the search.
Answering that question becomes really messy once you compute an index from a subsearch result...
I'm interested in the searches that "do" specify the index. For our users one of the best practice tips we give them is that they specify the index. We found that it greatly improves search time.
We have over 100 indexes so if you don't specify the index then splunk has to open every index on every indexer to see if there are matching events. This can take a while.