Splunk Search

How to find the most searched index in splunk?

sim_tcr
Communicator

Hello,

How to find the most searched index in splunk?

This would help us to increase the hot/warm buckets for them.

Thanks,
Simon Mandy

0 Karma

PPape
Contributor

Hello Simon Mandy,

maybe you want to try this:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count

I hope this helps.

regards

w531t4
Path Finder

doesn't work if user searches eventtype=blah

0 Karma

lakromani
Builder

This works fine if only one index is search, but if you have some like this:
index=cisco_firewall OR index="cp_firewall user="Garth"
Your result will only show cisco_firewall

A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*

Other than that its a nice way to see what is used in search.

0 Karma

PPape
Contributor

Yes you are right.
The first problem should be solveable with the "max_match=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *_firewall you know you have to improve all of the matching indexes.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...