Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spunk indexes

ZombieT
Engager
‎11-01-2023 09:49 PM

Hello, I am fairly familiar to spunk, but I do need to improve on indexes. I am currently working on a new client environment and they have a large amount of indexes within splunk, however some of them are inactive. 

A couple of question:

>How can I determine if an index is active/connected properly

>is there an easier way to show the above; for example if there's 100 indexes how can I find out which are still active in a graph or a more visual view. 

Hope it makes sense. Thank you in advance for any advice. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 12:26 AM

Hi @ZombieT,

if you have to advice your customer about indexes, remember always that an index is a silos that contains all kind of events with the same retention time and the same access grants: an index isn't a database table; you define data characteristics using sourcetype, not index.

Anyway, you can know if an index is used, and if not, when it was used for the last time running a search like this:

| eventcount summarize=false index=* | dedup index

or better

| tstats count latest(_time) AS latest WHERE index=* BY index
| append [
   | eventcount summarize=false index=* 
   | dedup index 
   | eval count=0 
   | fields index count 
   ]
| stats sum(count) AS total values(latest) AS latest BY index
| eval 
   latest =strftime(latest,"%Y-%m-%d %H:%M:%S"),
   status=if(total=0,"No events","Last event at ".latest)
| table index status

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 12:26 AM

Hi @ZombieT,

if you have to advice your customer about indexes, remember always that an index is a silos that contains all kind of events with the same retention time and the same access grants: an index isn't a database table; you define data characteristics using sourcetype, not index.

Anyway, you can know if an index is used, and if not, when it was used for the last time running a search like this:

| eventcount summarize=false index=* | dedup index

or better

| tstats count latest(_time) AS latest WHERE index=* BY index
| append [
   | eventcount summarize=false index=* 
   | dedup index 
   | eval count=0 
   | fields index count 
   ]
| stats sum(count) AS total values(latest) AS latest BY index
| eval 
   latest =strftime(latest,"%Y-%m-%d %H:%M:%S"),
   status=if(total=0,"No events","Last event at ".latest)
| table index status

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ZombieT
Engager
‎11-02-2023 01:07 AM

Great response, mille grazie Giuseppe;

 

On the back of that if say the client asks to show them a simpler way for example a gui way, how do I go about checking that; thank you in advance. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 01:16 AM

@ZombieT ,

the best way is the Monitoring Console in which you have all the information about all Indexes, but if they are hundreds it will not be so easy to read!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...