Thank you brother! I'm checking it out as we speak

At a high level, the following searches can be start points for the information you're looking for.

1. Audit index queries: -

• Use "index=_audit" to explore usage data
• Look for sourcetypes like "audittrail" and "searches"

2. Knowledge Object (KO) usage:

• Check for saved searches, reports, and dashboards usage
• Use "index=_audit action=search search_id=*" to find executed searches
• Check "index=_internal sourcetype=splunkd_conf" for configuration changes

3. Index usage:

• Analyze "index=_internal sourcetype=splunkd_access" for index access patterns
• Use "index=_introspection sourcetype=splunk_resource_usage" for resource usage

4. Search performance:

• Examine "index=_audit action=search" for slow searches
• Look at "index=_internal sourcetype=scheduler" for scheduled search performance

5. Data intake:

• Review "index=_internal sourcetype=splunkd" for forwarder and receiver logs

You could also look at the Alerts for Splunk Admins app on Splunkbase which has a good bunch of searches baked in (https://splunkbase.splunk.com/app/3796)

Please let me know how you get on and consider upvoting/karma this answer if it has helped.
Regards

Will

Thanks! im a bit new to the splunk community forum. But if i accept this as the solution, will it prevent other users from still inputting advice?

Hi @Kenny_splunk 

other people will still be able to reply but the one accepted will be at the top to allow others to see it easily if they come across the same questions. 
Thanks!

will

understood, so my el basicallly hands me an index today and tells me to investigate it. My anxiety is going through the roof. Please...and tips and advice and best practice?