- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Finding a way to include creator name and crea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm exploring a way to get the search results for the name of Indexes, who created those indexes and creation date.
So far I have got the DDAS Retention Days, DDAS Index Size, DDAA Retention Days, DDAA Usage, along with the Earliest and Latest Event Dates.
I'm trying with the owner of the indexes but am not getting the desired results.
The search query I've been using is given below:
| rest splunk_server=local /servicesNS/-/-/data/indexes
| rename title as indexName, owner as creator
| append [
search index=summary source="splunk-storage-detail" (host="*.personalsplunktesting.*" OR host=*.splunk*.*)
| fillnull rawSizeGB value=0
| eval rawSizeGB=round(rawSizeBytes/1024/1024/1024,2)
| rename idxName as indexName
]
| append [
search index=summary source="splunk-ddaa-detail" (host="*.personalsplunktesting.*" OR host=*.splunk*.*)
| eval archiveUsage=round(archiveUsage,2)
| rename idxName as indexName
]
| stats
latest(retentionDays) as "Searchable Storage (DDAS) Retention Days",
latest(rawSizeGB) as "Searchable Storage (DDAS) Index Size GB",
max(archiver.coldStorageRetentionPeriod) as "Archive Storage (DDAA) Retention Days",
latest(archiveUsage) as "Archive Storage (DDAA) Usage GB",
latest(ninetyDayArchived) as "Archived GB Last 90 Days",
latest(ninetyDayExpired) as "Expired GB Last 90 Days"
by indexName
| append [
| tstats earliest(_time) as earliestTime latest(_time) as latestTime where index=* by index
| eval earliest_event=strftime(earliestTime, "%Y-%m-%d %H:%M:%S"), latest_event=strftime(latestTime, "%Y-%m-%d %H:%M:%S")
| rename index as indexName
| fields indexName earliest_event latest_event
]
| stats
values("Searchable Storage (DDAS) Retention Days") as "Searchable Storage (DDAS) Retention Days",
values("Searchable Storage (DDAS) Index Size GB") as "Searchable Storage (DDAS) Index Size GB",
values("Archive Storage (DDAA) Retention Days") as "Archive Storage (DDAA) Retention Days",
values("Archive Storage (DDAA) Usage GB") as "Archive Storage (DDAA) Usage GB",
values(earliest_event) as "Earliest Event",
values(latest_event) as "Latest Event",
values(creator) as "Creator"
by indexNamePlease can anyone help me on this?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The owner field is who is the current owner of a knowledge object and used for enforcing permissions and capabilities. Unless the index is created via the GUI the value is likely to default to 'system' or such generic terms. Even if created via the GUI once the user departs the organization the user name should be disabled/deleted which risks leaving the object unavailable and the object should be migrated to a generic ID or a different user.
I don't see any automated method of pulling the information you desire from a rest call given that owner can change and creation date is likely just listed as earliest event in the index which is not reliable.
Previously I would have an app just to define indexes pushed to IDX tier from the CM. After the index stanza you can comment in the information you want to record but you wouldn't be able to view that from a rest call.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The owner field is who is the current owner of a knowledge object and used for enforcing permissions and capabilities. Unless the index is created via the GUI the value is likely to default to 'system' or such generic terms. Even if created via the GUI once the user departs the organization the user name should be disabled/deleted which risks leaving the object unavailable and the object should be migrated to a generic ID or a different user.
I don't see any automated method of pulling the information you desire from a rest call given that owner can change and creation date is likely just listed as earliest event in the index which is not reliable.
Previously I would have an app just to define indexes pushed to IDX tier from the CM. After the index stanza you can comment in the information you want to record but you wouldn't be able to view that from a rest call.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response.
I'm running this search query on Splunk Cloud, I redacted the Splunk Cloud Instance ID for privacy and all the indexes are created via GUI itself. System Indexes like _internal, _audit or others are system generated so I can have them renamed as "Splunk Generated Index User".
Apart from that, I'm also researching and assessing the way to fetch creation date as well.
About the IDX part, I think that got deprecated in Victoria Experience or so, but it would be helpful if there's any workaround or any other way to find it.
Index This | What are the 12 Days of Splunk-mas?
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
