Need some help with splunk query, how do we determine the most accessed or least accessed or searched index/sourcetype/source by user. Based on this we will can make use of the license to on-board new logs to splunk.
This is the query that can give that information but there is a huge gap in this method, as some (or I must say most) of searches don’t even specify index/sourcetypes.
index=_audit action=search search=* sourcetype=audittrail | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | search IndexUsed=* OR SourcetypeUsed=* | fillnull value="NA" IndexUsed SourcetypeUsed| stats count values(search) by IndexUsed SourcetypeUsed
This is the query that can give that information but there is a huge gap in this method, as some (or I must say most) of searches don’t even specify index/sourcetypes.
index=_audit action=search search=* sourcetype=audittrail | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | search IndexUsed=* OR SourcetypeUsed=* | fillnull value="NA" IndexUsed SourcetypeUsed| stats count values(search) by IndexUsed SourcetypeUsed
Thanks... so, the numbers in the count represents no.of users...?
Number in the count represents number of searches execution which are using that index/sourcetype. I believe a user field is also there so throwing a dc(user) in the stats will give the count of users.
Got it, Thanks...but as you said some of the searches don't even specify index/sourcetypes.