How get data, which are the index fields are used ...

NDabhi21 · ‎08-08-2022

would like to reduce the Log data size in index by cut field which are not useful for the use case .

Before cut fields would like check the utilization of field, whether fields are used in any dashboard or searches by any other users.

PickleRick · ‎08-08-2022

Firstly - are you sure you're talking about indexed fields?

richgalloway · ‎08-08-2022

It's a good idea to trim the number of indexed fields. It's not a trivial task, however. There is no auditing of which fields are used and which are not so it will require a good bit of effort on your part to figure it out.

Start with the walklex command to get a good idea of which fields are indexed (it's not 100% accurate). Use that list to search dashboards, saved searches, eventtypes, calculated fields, and macros for matches. If you use any accelerated datamodels then search those, too.

Some REST commands that may help:

| rest /servicesNS/-/-/saved/searches
| rest /servicesNS/-/-/data/ui/views
| rest /services/data/models

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎08-08-2022

It is probably impossible to be 100% sure you can find all the instances where a field might be in use. One reason for this is because fields can be referred to by wildcards.

How get data, which are the index fields are used in which alert or search or dashboards?

correlation search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life