Splunk Search

List indexes that are being used

robnewman666
Path Finder

Hello, I am trying to bring up a search that will tell me how much each index is being used, but the search_index field doesn't work. Here is the search:

index=_audit action=search (id=* OR search_id=*)

| rex "user=(?<user>.*?),"

| search user!=splunk-system-user

| search user!=admin

| search search!=*_internal* search!=*_audit*

| rex max_match=0 field=search_index "((?:index(\")?=(?:\\|\\\"|\")?)|(?:s\w+\s\S))(?<my_indexes>[^\\\s\"]+)"

| eval search_index=mvdedup(search_index)

| convert num(total_run_time)

| eval time_of_search=strftime(_time, "%F %T")

| table user time_of_search total_run_time savedsearch_name search_index search

Labels (2)
0 Karma

dave_null
Path Finder

In the first line of your search, you misspelled "seach_id"

0 Karma

robnewman666
Path Finder

Yep, ignore that, I could only copy from a different machine in this case, so was typing all this out. (Fixed)

0 Karma