How do I create a list of indexes (internal & non-...

SamHTexas · ‎01-12-2022

I am getting performance errors on the ES reg. many indexes used by users, specially the admin role. Any SPLs or direction is much appreciated.

richgalloway · ‎01-12-2022

Tell us more about the problem. What "performance errors" are you getting? What makes you think it's an index problem?

---
If this reply helps you, Karma would be appreciated.

SamHTexas · ‎01-13-2022

Thank u for your message. The message I am getting now on ES is " The list of indexes to be searched by default by admin role includes all non-internal indexes" that is causing the performance problem. So I need to learn how to create a list of users & indexes they are using by role & possible amount of data being ingested or so. Because we have local admin accounts aside from routine accts by user name. I hope I explained what am facing. I appreciate any SPLs or directions. Per your suggestion am using the MC very closely. We have it on distributed mode on the Ent & non-distributed mode on the ES.

richgalloway · ‎01-14-2022

That message is saying the default indexes for the admin role is too broad. IOW, any admin that doesn't specify an index in a search will end up searching all non-internal indexes. You know that's not good. The fix is to remove all indexes from the default list (do that for all other roles, too). This will force users to always specify an index name in their searches if they want to see results. Of course, you'll want to let people know you've done that so they know to always specify an index.

---
If this reply helps you, Karma would be appreciated.

SamHTexas · ‎01-18-2022

Please, is there a way to make a list of indexes each user uses. How do I make a list of internal & non -internal indexes that user roles are using. Thanks very much as usual.

richgalloway · ‎01-18-2022

There is no record of which indexes a user has accessed or of which users have accessed an index.

You can scrape the internal logs for searches that have been run and extract index names from them. However, if users are using default indexes then that information will be absent from the logs.

You could ask the users what indexes they use/need, but you may find out they don't know because they haven't had to worry about it.

---
If this reply helps you, Karma would be appreciated.

SinghK · ‎01-18-2022

| rest /services/data/indexes will give you the list of all indexes etc, there are many fields check and use as per your requirement.

SamHTexas · ‎01-18-2022

Thanks very much but this does not name indexes by name. It shows indexes like "all_shcluster_indexes". I am looking for individual index names & they are used.

isoutamo · ‎01-20-2022

Hi

here is old answer which probably gives you a needed SPL https://community.splunk.com/t5/Dashboards-Visualizations/default-home-dashboard-for-each-specific-u...

r. Ismo

SinghK · ‎01-19-2022

Sam,

the command was the base command, you will have to play with it a bit.

| rest /services/data/indexes| stats by title

title is the field where name of index is...

SinghK · ‎01-19-2022

but still wont tell you who is using what index..

How do I create a list of indexes (internal & non-internal) used by users - am getting performance errors for admin role

using Enterprise Security

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!