Reporting
Highlighted

How to clean up old indexes, reports, alerts, etc ?

Path Finder

I have inherited a splunk distributed deployment which is a bit of a train wreck.

Does anyone know of a way to identify indexes that no one has searched for a long time?

Or how to identify reports that no one has run for a long time or that are not scheduled?

Thank you,
Gunnar

Tags (3)
0 Karma
Highlighted

Re: How to clean up old indexes, reports, alerts, etc ?

SplunkTrust
SplunkTrust

Hi @Glasses,

Someone already developed a dashboard and posted it here for that purpose :
https://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html

You can also use app such as search activity to see what's being used the most and reverse the search to get what's being used the least :
https://splunkbase.splunk.com/app/2632/

Another useful link to see dashboard usage here :
https://answers.splunk.com/answers/617051/how-can-i-create-a-query-to-find-dashboard-usage-a.html

Lots of resources about this. You can even leverage the MC to get more insight one what's happening.

Let me know if there's a specific query you're looking to build in addition to all that.

Cheers,
David