Splunk Search

List of newly created indexes in splunk in the last 30 days

sumaitasiddiky
New Member

I need a list of indexes that are newly created in the last 30 days and need the creation date of those indexes.

I have used this query :

| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(minTime) as first_date first(now) as now first(currentDBSizeMB) as currentDBSizeMB by title
| eval comparison_date=now()-30*86400 | sort - first_date | eval first_date=strptime(first_date,"%Y-%m-%dT%H:%M:%S.%6N") | eval status=if(first_date

Labels (2)
Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could maintain such a list in a lookup, amend the lookup with a scheduled search using that REST call every day to add a creation date to a first-seen lookup, and then use that lookup to filter for last 30 days or whatever time range you need.

https://www.splunk.com/en_us/blog/tips-and-tricks/maintaining-state-of-the-union.html

View solution in original post

0 Karma

charlesmeo
Explorer

I believe this problem has wider ramifications. Please have a look at Splunk Ideas, for a proposal to integrate Splunk with Source Code Control: https://ideas.splunk.com/ideas/E-I-7

This would address this problem and many others. SCC would maintain all your modification dates and revision history. You can furthermore splunk a git repo as well as the git metadata, to report both the available facts and the current code.

Because Splunk supports so many disparate ways to update your configuration--which is code when it comes right down to it--this has always been a problem. In the field there are many ingenious and occasionally really scary home-made solutions, which you have to have, or mature Splunk installations sooner or later become unmanageable.

If you support the notion of source code control integration for Splunk, please vote for the idea so it gets more traction.
Charles

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could maintain such a list in a lookup, amend the lookup with a scheduled search using that REST call every day to add a creation date to a first-seen lookup, and then use that lookup to filter for last 30 days or whatever time range you need.

https://www.splunk.com/en_us/blog/tips-and-tricks/maintaining-state-of-the-union.html

View solution in original post

0 Karma

MaverickT
Communicator

What about this search query?

index=_audit action=indexes_edit operation=create
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This should only tell you about indexes created via API / UI, not about indexes created via conf files (most common case in real-world environments with a separate indexing tier). Those don't have an easily accessible creation date.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!