Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a list of all hosts across all indexes if we cannot use index=* (restricted by workload rule)

mlevsh
Builder
‎10-22-2023 03:24 PM

Hi,

We need to find all the hosts across all the indexes , but we cannot use index=* anymore, as it's use is  restricted by workload rule.

Before the following command was used
| tstats count where index=*  by host
|fields - count

But it uses index* and now we cannot use it.
Will appreciate any ideas. 


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2023 11:21 PM

Hi @mlevsh,

the easiest way is asking to remove that rule because it isn't useful!

Anyway, you should list all the existing indexes in the WHERE condition:

| tstats count where index IN (index1,index2,index2) by index host
| fields - count

to avoid to repeat this list in every command, you could also put all these indexes in a macro or an eventtype and use it in your searches.

Ciao.

Giuseppe

Reply

mlevsh
Builder
‎10-23-2023 03:40 PM

@gcusello 

Hi!

Thank you for your advice!

(1) It will be kind of difficult to list all 280  indexes. We can probably decrease it to 68 by using
something like index=p*
I was wondering if there might be another alternative way to do it without listing all the indexes
in search of in macro 

(2) The rule is actually useful to us, since we had few issues with performance due to users
using index=*  , selecting big time period and searching for some "text" through all of our 280+ indexes

But just curious on why are you saying it isn't useful?

Regards,
@mlevsh 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2023 08:34 AM

Hi @mlevsh,

maybe you should try to have a different approach in indexes creation: usually different indexes are used when there are different retention periods and/or different access grants.

Indexes are siloes in which it's possible to store data, different data are differentiated by sourcetype not by index.

So you could reduce the number of indexes: 280 indexes are very difficoult to manage and to use, why do you have so many indexes?

In other words there isn't any sense  having one sourcetype in one index.

In other words, indexes aren't database tables.

the best approach is usually to limit the time that a user can use in a search and not the indexes.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...