we have nearly 700+ index configured in splunk and more than 1000+ sourcetypes associated with it. So I will need to find out which index and sourcetype is not used by user in any of the savedsearch, dashboard, macro, Ad-hoc searches, alerts. I was looking into audit index for last 90 days but didnt get accurate result.
i will need splunk query to get the report to show unused index and sourcetype.
Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't get it other way because how? If Splunk doesn't have something it can't tell you what it is. See the link I pointed you to.
The question is how do you compile that list. You're saying that you have specific sourcetypes "associated" with indexes. So you should have some table. Upload this table to Splunk as lookup and use this lookup to compare with your search results.
You have to be more specific.
1. There are many index names and sourcetypes which are not used in your environment. For example, I don't think you're using index names that I use in my private lab environment at home. You have to be more specific about what you need (while with the indexes you can mean checking just all defined indexes, with sourcetypes it's not clear)
2. You can't find something that isn't there. So you must have a list against which you'll be comparing your search results. See https://www.duanewaddle.com/proving-a-negative/