The saved search
Audit - Index Readiness, along with a few other searches in
SA-Utils and the lookups the write out to, are the basis for the data returned by the
contentinfo REST endpoint. These are then queried by various dashboards (like ESS Content Library) in order to show whether or not data is available for use-cases.
It is exactly what it states. It searches all Splunk indexers and evaluates whether an indexer is sending throughput to the metrics.log group. If it detects throughput, cool, assign a 1 to it. If it doesn't it gets a 0. It then writes this to a lookup file and a report. I would assume that this rolls up into a general Splunk health report for the security audits. Security needs continuity and responsiveness. If it doesn't get this from the Splunk env, then it has a problem.
Hope this helps,
As this search is heavy on search head, as running every 30 min and search for last 24 hour for all the index, can we customize this search to be lighter on CPU,
i.e. edit search query, increase schedule interval and reduce search time frame. etc..