Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spunk indexes

ZombieT
Engager
‎11-01-2023 09:49 PM

Hello, I am fairly familiar to spunk, but I do need to improve on indexes. I am currently working on a new client environment and they have a large amount of indexes within splunk, however some of them are inactive. 

A couple of question:

>How can I determine if an index is active/connected properly

>is there an easier way to show the above; for example if there's 100 indexes how can I find out which are still active in a graph or a more visual view. 

Hope it makes sense. Thank you in advance for any advice. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 12:26 AM

Hi @ZombieT,

if you have to advice your customer about indexes, remember always that an index is a silos that contains all kind of events with the same retention time and the same access grants: an index isn't a database table; you define data characteristics using sourcetype, not index.

Anyway, you can know if an index is used, and if not, when it was used for the last time running a search like this:

| eventcount summarize=false index=* | dedup index

or better

| tstats count latest(_time) AS latest WHERE index=* BY index
| append [
   | eventcount summarize=false index=* 
   | dedup index 
   | eval count=0 
   | fields index count 
   ]
| stats sum(count) AS total values(latest) AS latest BY index
| eval 
   latest =strftime(latest,"%Y-%m-%d %H:%M:%S"),
   status=if(total=0,"No events","Last event at ".latest)
| table index status

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 12:26 AM

Hi @ZombieT,

if you have to advice your customer about indexes, remember always that an index is a silos that contains all kind of events with the same retention time and the same access grants: an index isn't a database table; you define data characteristics using sourcetype, not index.

Anyway, you can know if an index is used, and if not, when it was used for the last time running a search like this:

| eventcount summarize=false index=* | dedup index

or better

| tstats count latest(_time) AS latest WHERE index=* BY index
| append [
   | eventcount summarize=false index=* 
   | dedup index 
   | eval count=0 
   | fields index count 
   ]
| stats sum(count) AS total values(latest) AS latest BY index
| eval 
   latest =strftime(latest,"%Y-%m-%d %H:%M:%S"),
   status=if(total=0,"No events","Last event at ".latest)
| table index status

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ZombieT
Engager
‎11-02-2023 01:07 AM

Great response, mille grazie Giuseppe;

 

On the back of that if say the client asks to show them a simpler way for example a gui way, how do I go about checking that; thank you in advance. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 01:16 AM

@ZombieT ,

the best way is the Monitoring Console in which you have all the information about all Indexes, but if they are hundreds it will not be so easy to read!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...