Solved: Indexes used within the last 30 day

Strangertinz · ‎01-18-2024

Hi,

I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data within the last 30 days.

Thanks in advance!

gcusello · ‎01-18-2024

Hi @Strangertinz ,

you could run a simple search like the following:

| tstats count WHERE index=* BY index

on the last 30 days.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎01-18-2024

Hi @Strangertinz ,

you could run a simple search like the following:

| tstats count WHERE index=* BY index

on the last 30 days.

Ciao.

Giuseppe

dtburrows3 · ‎01-18-2024

Probably a few ways of doing this, but if you have access to index=_internal you can try something like this.

index=_internal component=Metrics group=per_index_thruput earliest=-30d@d latest=now
    | bucket span=1h _time
    | stats
        sum(kb) as hourly_kb,
        sum(ev) as hourly_events,
            by _time, series
    | stats
        earliest(_time) as earliest_event,
        latest(_time) as latest_event,
        count as sample_size,
        avg(hourly_kb) as avg_hourly_kb,
        sum(hourly_kb) as total_kb,
        avg(hourly_events) as avg_hourly_events,
        sum(hourly_events) as total_events
            by series
    | convert
        ctime(earliest_event),
        ctime(latest_event)
    | rename
        series as index

Indexes used within the last 30 day

eval

fields

join

metadata

search job inspector

stats

subsearch

table

tstats

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector