Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for and remove indexes in Splunk that are not being used/searched by users?

biff09
Engager
‎11-12-2014 10:54 AM

Ideally I'd like to search Splunk to determine if anyone is searching a particular index.

My use case is that I'd like to decommission an index and pretty sure no one is using it. But again, if I could convince myself that no one is using it (searching it), I'd feel better!

Thanks in advance.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 11:24 AM

What you want to do is search through the _audit index.

I just tested this out and it seemed to work for me, although you may want to change the regex match in case your indexs have different names that don't match there, as in the [\w\d_]+ part. 

index=_audit user=* action=search search=* "index"
| rex field=search "index=(?!_audit)(?<index_being_used>[\w\d_]+)"
| stats count by index_being_used, user

Note that I excluded the audit index from being matched with the regex. It seems obvious you'd wand that, and you could add more logic there to make your stats table a bit better too.

Reply

biff09
Engager
‎11-12-2014 11:36 AM

(Realized I should have put this response here)
Thanks for the super-quick response! I'm a bit of a Splunk newb + don't have access to the audit index. I'll have to pass this query to the splunk admins.

So perhaps you can indulge me with an example? What if I was performing this search on the index named "bob", what would the full query look like?

Thanks a ton.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 11:44 AM

There is also a Splunk on Splunk app that has TONS of information on indexers, performance, etc. I'm surprised you can decommission an index but can't search _audit 😛

Maybe it might look something like

index=_audit user=* action=search search=* "index\=bob" | timechart count by user
That might give you a nice way of seeing its usage, outliers, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...