Solved: Is it possible to get a list of available indices?

flo_cognosec · ‎01-26-2012

I could then populate a dropdown list with indices 🙂

Somehow I could not get this done, would be cool if somebody could help me 🙂

I would prefer some in-splunk possibilities compared to file-parsing or CLI foo btw out of obv. reasons.

gkanapathy · ‎01-26-2012

The most efficient way to get accurate results is probably:

| eventcount summarize=false index=* | dedup index | fields index

Just searching for index=* could be inefficient and wrong, e.g., if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of events just to discover it.

Update:

Corrected to include index=*.
If you want to include internal indexes, you can use:

| eventcount summarize=false index=* index=_* | dedup index | fields index

View solution in original post

MuS · ‎05-22-2018

I'm really surprised no-one came up with yet another example for this:

| tstats count WHERE index=* by index | table index

Like the REST call, it is also lightning fast 😉

cheers, MuS

kshbq · ‎04-24-2017

It will pretty late for the answer : but i have done this through this
index=*|stats count by index|fields index

jkat54 · ‎09-10-2017

This isn't the most, inefficient, obfuscated method to do this... but this search should not be used to find index names... ever... in my humble opinion.

mendesjo · ‎09-02-2015

Brand new stupid user here, my results:

1st suggestion:
| eventcount summarize=false index=* index=_* | dedup index | fields index

= error in eventcount command: this command is not supported in a real-time search

index=* | dedup index | fields index
This works, but doesn't give you a nice list, rather provides tons of individual lines of data

$SPLUNK_HOME/bin/splunk list index
No results at all.

So for me, again newbie here none of these worked for me..

emiller42 · ‎10-19-2015

Check out MuS's answer. It's the best one for this, and works just fine.

https://answers.splunk.com/answers/39370/is-it-possibl-to-get-a-list-of-available-indices.html#answe...

MuS · ‎03-05-2014

and another one

| REST /services/data/indexes | table title

dvb · ‎08-04-2017

Yes, this is very performant and I like it as well.
The drawback is that it gives all indexes, not only the ones the user is allowed to see.

jkat54 · ‎05-22-2018

You could use dbinspect to get a list of indexes the user has access to

|dbinspect index=*

mIliofotou_splu · ‎08-24-2016

| REST /services/data/indexes | table title, currentDBSizeMB

If you want to add the size of the index as well.

wsnyder2 · ‎10-26-2015

very nice indeed! thank you .. here is a slight modification.

| REST /services/data/indexes | dedup title | sort title | table title

NMSOpsAtTMo · ‎04-01-2015

Sweet solution!

koshyk · ‎10-17-2014

best answer in my opinion

kchen_splunk · ‎03-05-2014

I like this !

kchen_splunk · ‎03-05-2014

$SPLUNK_HOME/bin/splunk list index

gkanapathy · ‎01-26-2012

The most efficient way to get accurate results is probably:

| eventcount summarize=false index=* | dedup index | fields index

Just searching for index=* could be inefficient and wrong, e.g., if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of events just to discover it.

Update:

Corrected to include index=*.
If you want to include internal indexes, you can use:

| eventcount summarize=false index=* index=_* | dedup index | fields index

View solution in original post

steven_swor · ‎11-24-2015

I downvoted this post because the rest answer is the better one. it is more efficient and will include all indices, even empty ones.

flo_cognosec · ‎02-02-2012

I now hardcoded the index names in a StaticSelect for performance reasons ^^ Technically not pretty but efficient and solves my problem 🙂

inventsekar · ‎09-25-2020

old post,... but,... may i know whats "StaticSelect" (if its still not deprecated)

gkanapathy · ‎01-27-2012

It is not correct that you will only see local indexes. the eventcount command will return all indexes that can be searched, local or remote distributed ones. But yes, it will only list ones that are accessible to the running user. It is true that Splunk's UI, API, and Management GUI does not provide a way to bypass security restrictions to allow people to list indexes they do not have access to.

rtadams89 · ‎01-27-2012

This will not work. Such a search will only return events indexed locally, and therefore you have the potential to miss a bunch of indexes.

index=* | dedup index | fields index

run over all time

Would be better (in terms of getting all a complete list of indexes), but is not very efficient, it will only show indexes the person running the search has access to.

I don't believe Splunk has a reliable way to get a list of all current indexes through the web GUI (even the management section can be lacking in certain cases).