Splunk Enterprise Security

How do I create a list of indexes (internal & non-internal) used by users - am getting performance errors for admin role

SamHTexas
Builder

I am getting performance errors on the ES reg. many indexes used by users, specially the admin role. Any SPLs or direction is much appreciated.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Tell us more about the problem.  What "performance errors" are you getting?  What makes you think it's an index problem?

---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

Thank u for your message. The message I am getting now on ES  is " The list of indexes to be searched by default by admin role includes all non-internal indexes" that is causing the performance problem. So I need to learn how to create a list of users & indexes they are using by role & possible amount of data being ingested or so. Because we have local admin accounts aside from routine accts by user name. I hope I explained what am facing. I appreciate any SPLs or directions. Per your suggestion am using the MC very closely. We have it on distributed mode on the Ent & non-distributed mode on the ES.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That message is saying the default indexes for the admin role is too broad.  IOW, any admin that doesn't specify an index in a search will end up searching all non-internal indexes.  You know that's not good.  The fix is to remove all indexes from the default list (do that for all other roles, too).  This will force users to always specify an index name in their searches if they want to see results.  Of course, you'll want to let people know you've done that so they know to always specify an index.

---
If this reply helps you, Karma would be appreciated.

SamHTexas
Builder

Please, is there a way to make a list of indexes each user uses. How do I make a list of internal & non -internal indexes that user roles are using. Thanks very much as usual.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no record of which indexes a user has accessed or of which users have accessed an index.

You can scrape the internal logs for searches that have been run and extract index names from them.  However, if users are using default indexes then that information will be absent from the logs.

You could ask the users what indexes they use/need, but you may find out they don't know because they haven't had to worry about it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SinghK
Builder

| rest /services/data/indexes will give you the list of all indexes etc, there are many fields check and use as per your requirement.

0 Karma

SamHTexas
Builder

Thanks very much but this does not name indexes by name. It shows indexes like "all_shcluster_indexes". I am looking for individual index names & they are used. 

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is old answer which probably gives you a needed SPL https://community.splunk.com/t5/Dashboards-Visualizations/default-home-dashboard-for-each-specific-u...

r. Ismo

SinghK
Builder

Sam,

the command was the base command, you will have to play with it a bit.

| rest /services/data/indexes| stats by title 

title is the field where name of index is...

0 Karma

SinghK
Builder

but still wont tell you who is using what index..

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...