Splunk Search

Is it possible to get a list of available indices?

flo_cognosec
Communicator

I could then populate a dropdown list with indices 🙂

Somehow I could not get this done, would be cool if somebody could help me 🙂

I would prefer some in-splunk possibilities compared to file-parsing or CLI foo btw out of obv. reasons.

Labels (1)
Tags (3)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The most efficient way to get accurate results is probably:

| eventcount summarize=false index=* | dedup index | fields index

Just searching for index=* could be inefficient and wrong, e.g., if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of events just to discover it.

Update:

Corrected to include index=*.
If you want to include internal indexes, you can use:

| eventcount summarize=false index=* index=_* | dedup index | fields index

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

If you use stats or tstats, you're searching against data which may lead to ommited indexes if you haven't received any events for the time period specified. Yes, you can stretch the timeframe but it still won't help for indexes for which you never received any events.

So the easy solution for listing all defined indexes would be to use rest

| rest /services/data/indexes 
| rex field=id ".*/(?<index>[^/]+)$"
| fields index

 

akew
Explorer

You can get the index from the title field, and also filter for enabled (isReady) or internal indexes.

Also, run a stats on the list to remove duplicates from different internal Splunk paths on each "index":

| rest /services/data/indexes
``` remove internal indexes from the list (if needed)```
| search isInternal=0
| fields title id isInternal isReady
| rename isReady as enabled
| stats count by title, enabled
| fields - count

 

MuS
Legend

I'm really surprised no-one came up with yet another example for this:

| tstats count WHERE index=* by index | table index

Like the REST call, it is also lightning fast 😉

cheers, MuS

kshbq
Engager

It will pretty late for the answer : but i have done this through this
index=*|stats count by index|fields index

0 Karma

jkat54
SplunkTrust
SplunkTrust

This isn't the most, inefficient, obfuscated method to do this... but this search should not be used to find index names... ever... in my humble opinion.

mendesjo
Path Finder

Brand new stupid user here, my results:

1st suggestion:
| eventcount summarize=false index=* index=_* | dedup index | fields index

= error in eventcount command: this command is not supported in a real-time search

index=* | dedup index | fields index
This works, but doesn't give you a nice list, rather provides tons of individual lines of data

$SPLUNK_HOME/bin/splunk list index
No results at all.

So for me, again newbie here none of these worked for me..

emiller42
Motivator

Check out MuS's answer. It's the best one for this, and works just fine.

https://answers.splunk.com/answers/39370/is-it-possibl-to-get-a-list-of-available-indices.html#answe...

0 Karma

MuS
Legend

and another one

| REST /services/data/indexes | table title

dvb
Path Finder

Yes, this is very performant and I like it as well.
The drawback is that it gives all indexes, not only the ones the user is allowed to see.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You could use dbinspect to get a list of indexes the user has access to

|dbinspect index=*

mIliofotou_splu
Splunk Employee
Splunk Employee
| REST /services/data/indexes | table title, currentDBSizeMB

If you want to add the size of the index as well.

wsnyder2
Path Finder

very nice indeed! thank you .. here is a slight modification.

| REST /services/data/indexes | dedup title | sort title | table title

NMSOpsAtTMo
Engager

Sweet solution!

0 Karma

koshyk
Super Champion

best answer in my opinion

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

I like this !

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

$SPLUNK_HOME/bin/splunk list index

gkanapathy
Splunk Employee
Splunk Employee

The most efficient way to get accurate results is probably:

| eventcount summarize=false index=* | dedup index | fields index

Just searching for index=* could be inefficient and wrong, e.g., if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of events just to discover it.

Update:

Corrected to include index=*.
If you want to include internal indexes, you can use:

| eventcount summarize=false index=* index=_* | dedup index | fields index

gingerwizard
Loves-to-Learn Lots

Can this be enriched to indicate if the index has metrics or logs?

0 Karma

gam1
Engager

Any idea why this solution is not working as a dynamic option in a dashboard? I don't get any results with this query but its running fine in a search.

0 Karma

steven_swor
Path Finder

I downvoted this post because the rest answer is the better one. it is more efficient and will include all indices, even empty ones.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...