Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to find the most searched index in splunk?

sim_tcr
Communicator
‎10-29-2015 12:23 AM

Hello,

How to find the most searched index in splunk?

This would help us to increase the hot/warm buckets for them.

Thanks,
Simon Mandy

0 Karma
Reply
Highlighted

Re: How to find the most searched index in splunk?

PPape
Contributor
‎10-29-2015 01:30 AM

Hello Simon Mandy,

maybe you want to try this:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count

I hope this helps.

regards

Reply
Highlighted

Re: How to find the most searched index in splunk?

lakromani
Builder
‎10-29-2015 02:36 AM

This works fine if only one index is search, but if you have some like this:
index=ciscofirewall OR index="cpfirewall user="Garth"
Your result will only show cisco_firewall

A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*

Other than that its a nice way to see what is used in search.

0 Karma
Reply
Highlighted

Re: How to find the most searched index in splunk?

PPape
Contributor
‎10-29-2015 03:03 AM

Yes you are right.
The first problem should be solveable with the "maxmatch=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *firewall you know you have to improve all of the matching indexes.

0 Karma
Reply
Highlighted

Re: How to find the most searched index in splunk?

w531t4
Path Finder
‎11-01-2017 07:54 AM

doesn't work if user searches eventtype=blah

0 Karma
Reply