Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Viewing all Indexes and sourcetypes in use.

Abraham1234
Loves-to-Learn Lots
‎06-18-2020 09:10 AM

We are in the midst of a migration from one server to the next, and need to see if there are queries running against specific indexes, virtual indexes and sourcetypes. I have been trying a number of queries against the audit log but can't find a way to extract the following information used by all active queries & reports.

1. name and count of indexes  

2. name and count of virtual indexes

3. name and count of sourcetypes

Been searching for hours, any help appreciated. 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-18-2020 08:26 PM

While answering the which sourcetypes/indexes are available is relatively easy, answering the question of "which of those indexes/sourcetypes were searched recently" is surprisingly difficult.

Two ideas are open on this and under consideration, in particular Better audit logs and Provide index access statistics to assist in capacity planning of the indexing tier 

I put my attempts to complete this into Alerts for Splunk Admins (SplunkBase)  

I also have the searches on github in particular "SearchHeadLevel - Search Queries summary exact match 73" which works in 7.3 and above, but there is definitely some complexity in getting those searches to run so you may wish to take a more simple approach...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎06-18-2020 11:15 AM

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Metadata

| metadata type=[sourcetypes or sources or hosts] index=*

this will give you a list of each of the above, you might need to set your search to a broad time range, maybe at least 30 days or so depending on what you want to make sure gets migrated

also 

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/SearchReference/Tstats

| tstats values(sourcetype) WHERE index=* by index

this will give you a list of the sourcetypes by index

 

- upvotes appreciated 🤓

@marycordova
0 Karma
Reply

The_Simko
SplunkTrust
SplunkTrust
‎06-18-2020 10:46 AM

Partial Answers coming:

 

3. Sourcetypes
| metadata type=sourcetypes index=*.   
  
2. Virtual Indexes
Do you have virtual indexes, as in Hadoop ones?  
| rest /services/data/indexes | search isVirtual = 1

1. Indexes
| rest /services/data/indexes | search isVirtual = 0


With the rest, you can narrow your fields to find out what you are looking for.

- Michael S

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...