Splunk Search

Data used by searches?

whitecat001
Explorer

I want a query that shows  the total volume of indexes used for splunk searches. Query on information that has to do with how much indexes are used based on splunk searches 

 
 
0 Karma

splunkreal
Motivator

Hello @whitecat001 try this :

index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*"

| rex "index=(?P<myIndex>\w+)\s+\w+="

| stats count by myIndex

* If this helps, please upvote or accept solution if it solved *
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
That’s almost mission impossible with standard setup as you could do queries without defining any indexes into it. You could also use eventtypes etc. to hide real index names.
If you star to index all your search logs from sh side and look litesearch part then that could give to you more accurate index list?
r. Ismo
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...