Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query to get index/sourcetype that aren't being used in Splunk

harishsplunk7
Explorer
‎01-30-2024 10:11 AM

How to get the list of   indexes/sources that aren't being used in Splunk for last 90 days. can you anyone suggest query to get the index/sourcetype not used in any of knowledge object. 

Labels (5)
Labels
0 Karma
Reply

harishsplunk7
Explorer
‎01-31-2024 05:27 AM

we have nearly 700+ index configured in splunk and more than 1000+ sourcetypes associated with it. So  I will need to find out which index and sourcetype is not used by user in any of the savedsearch, dashboard, macro, Ad-hoc searches, alerts. I was looking into audit index for last 90 days but didnt get accurate result. 

 i  will need splunk query to get the report to show unused index and sourcetype. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 06:21 AM

Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't get it other way because how? If Splunk doesn't have something it can't tell you what it is. See the link I pointed you to.

The question is how do you compile that list.  You're saying that you have specific sourcetypes "associated" with indexes. So you should have some table. Upload this table to Splunk as lookup and use this lookup to compare with your search results.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 12:34 AM

You have to be more specific.

1. There are many index names and sourcetypes which are not used in your environment. For example, I don't think you're using index names that I use in my private lab environment at home. You have to be more specific about what you need (while with the indexes you can mean checking just all defined indexes, with sourcetypes it's not clear)

2. You can't find something that isn't there. So you must have a list against which you'll be comparing your search results.  See https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...

Splunkbase Year in Review 2024

Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
Top