Getting Data In

100% use of my events.

Path Finder

Hello community.

I have a query and I don't know if what I'm thinking can be achieved and how or if Splunk already has a way to solve my question.

My question is:
How to know how many bytes and fields extracted from my events in a particular index I am taking advantage of in searches?

I would like to be able to identify if I am indexing more than what is really useful for my dashboards.

0 Karma


Hi @lufermalgo,
I think that the only way to understand if all the indexed logs (or which part of them) are useful for you is to analyze informations in your logs: fields, messages, etc...

Analyzyng this, you can understand if there are events without useful informations and then exclude them before indexing using regexes.
An example to understand: if you need to know only accesses to windows servers, you need only few EventCodes (4624, 4625, 4634, etc...) so you could exclude events e.g. with EventCode=4688 (A new process has been created).

There are two methids to filter events: you can take only some interesting events and discard the others or discard only unuseful events and take all the other events.

The way to filter events is described at


0 Karma

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!