Splunk Search

How to find the most searched index in splunk?



How to find the most searched index in splunk?

This would help us to increase the hot/warm buckets for them.

Simon Mandy

0 Karma


Hello Simon Mandy,

maybe you want to try this:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count

I hope this helps.


Path Finder

doesn't work if user searches eventtype=blah

0 Karma


This works fine if only one index is search, but if you have some like this:
index=cisco_firewall OR index="cp_firewall user="Garth"
Your result will only show cisco_firewall

A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*

Other than that its a nice way to see what is used in search.

0 Karma


Yes you are right.
The first problem should be solveable with the "max_match=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *_firewall you know you have to improve all of the matching indexes.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...