Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

validate that index is not being queried in splunk

efaundez
Path Finder
‎05-05-2020 07:42 AM

Good afternoon

   I can validate in the MC which index have events and which do not, but is it possible to know which index is not being consulted by users? this would let you know that data is not being used and possibly delete it.

Your support is appreciated

0 Karma
Reply

codebuilder
Influencer
‎05-05-2020 09:08 AM

You can use the following as a base search, then examine the fields available to narrow down to what you're looking for.

index=_audit action=search sourcetype=audittrail
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!