Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query to get index/sourcetype that aren't being used in Splunk

harishsplunk7
Explorer
‎01-30-2024 10:11 AM

How to get the list of   indexes/sources that aren't being used in Splunk for last 90 days. can you anyone suggest query to get the index/sourcetype not used in any of knowledge object. 

Labels (5)
Labels
0 Karma
Reply

harishsplunk7
Explorer
‎01-31-2024 05:27 AM

we have nearly 700+ index configured in splunk and more than 1000+ sourcetypes associated with it. So  I will need to find out which index and sourcetype is not used by user in any of the savedsearch, dashboard, macro, Ad-hoc searches, alerts. I was looking into audit index for last 90 days but didnt get accurate result. 

 i  will need splunk query to get the report to show unused index and sourcetype. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 06:21 AM

Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't get it other way because how? If Splunk doesn't have something it can't tell you what it is. See the link I pointed you to.

The question is how do you compile that list.  You're saying that you have specific sourcetypes "associated" with indexes. So you should have some table. Upload this table to Splunk as lookup and use this lookup to compare with your search results.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 12:34 AM

You have to be more specific.

1. There are many index names and sourcetypes which are not used in your environment. For example, I don't think you're using index names that I use in my private lab environment at home. You have to be more specific about what you need (while with the indexes you can mean checking just all defined indexes, with sourcetypes it's not clear)

2. You can't find something that isn't there. So you must have a list against which you'll be comparing your search results.  See https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...