Getting Data In

100% use of my events.

Path Finder

Hello community.

I have a query and I don't know if what I'm thinking can be achieved and how or if Splunk already has a way to solve my question.

My question is:
How to know how many bytes and fields extracted from my events in a particular index I am taking advantage of in searches?

I would like to be able to identify if I am indexing more than what is really useful for my dashboards.

0 Karma


Hi @lufermalgo,
I think that the only way to understand if all the indexed logs (or which part of them) are useful for you is to analyze informations in your logs: fields, messages, etc...

Analyzyng this, you can understand if there are events without useful informations and then exclude them before indexing using regexes.
An example to understand: if you need to know only accesses to windows servers, you need only few EventCodes (4624, 4625, 4634, etc...) so you could exclude events e.g. with EventCode=4688 (A new process has been created).

There are two methids to filter events: you can take only some interesting events and discard the others or discard only unuseful events and take all the other events.

The way to filter events is described at


0 Karma

Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...