Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Viewing all Indexes and sourcetypes in use.

Abraham1234
Loves-to-Learn Lots
‎06-18-2020 09:10 AM

We are in the midst of a migration from one server to the next, and need to see if there are queries running against specific indexes, virtual indexes and sourcetypes. I have been trying a number of queries against the audit log but can't find a way to extract the following information used by all active queries & reports.

1. name and count of indexes  

2. name and count of virtual indexes

3. name and count of sourcetypes

Been searching for hours, any help appreciated. 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-18-2020 08:26 PM

While answering the which sourcetypes/indexes are available is relatively easy, answering the question of "which of those indexes/sourcetypes were searched recently" is surprisingly difficult.

Two ideas are open on this and under consideration, in particular Better audit logs and Provide index access statistics to assist in capacity planning of the indexing tier 

I put my attempts to complete this into Alerts for Splunk Admins (SplunkBase)  

I also have the searches on github in particular "SearchHeadLevel - Search Queries summary exact match 73" which works in 7.3 and above, but there is definitely some complexity in getting those searches to run so you may wish to take a more simple approach...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎06-18-2020 11:15 AM

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Metadata

| metadata type=[sourcetypes or sources or hosts] index=*

this will give you a list of each of the above, you might need to set your search to a broad time range, maybe at least 30 days or so depending on what you want to make sure gets migrated

also 

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Tstats

| tstats values(sourcetype) WHERE index=* by index

this will give you a list of the sourcetypes by index

 

- upvotes appreciated 🤓

@marycordova
0 Karma
Reply

The_Simko
Path Finder
‎06-18-2020 10:46 AM

Partial Answers coming:

 

3. Sourcetypes
| metadata type=sourcetypes index=*.   
  
2. Virtual Indexes
Do you have virtual indexes, as in Hadoop ones?  
| rest /services/data/indexes | search isVirtual = 1

1. Indexes
| rest /services/data/indexes | search isVirtual = 0


With the rest, you can narrow your fields to find out what you are looking for.

- Michael S

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...