Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the most searched index in splunk?

sim_tcr
Communicator
‎10-29-2015 12:23 AM

Hello,

How to find the most searched index in splunk?

This would help us to increase the hot/warm buckets for them.

Thanks,
Simon Mandy

0 Karma
Reply

PPape
Contributor
‎10-29-2015 01:30 AM

Hello Simon Mandy,

maybe you want to try this:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count

I hope this helps.

regards

Reply

w531t4
Path Finder
‎11-01-2017 07:54 AM

doesn't work if user searches eventtype=blah

0 Karma
Reply

lakromani
Builder
‎10-29-2015 02:36 AM

This works fine if only one index is search, but if you have some like this:
index=cisco_firewall OR index="cp_firewall user="Garth"
Your result will only show cisco_firewall

A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*

Other than that its a nice way to see what is used in search.

0 Karma
Reply

PPape
Contributor
‎10-29-2015 03:03 AM

Yes you are right.
The first problem should be solveable with the "max_match=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *_firewall you know you have to improve all of the matching indexes.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...