Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

query to get index/sourcetype that aren't being used in Splunk

harishsplunk7
Explorer
‎01-30-2024 10:11 AM

How to get the list of   indexes/sources that aren't being used in Splunk for last 90 days. can you anyone suggest query to get the index/sourcetype not used in any of knowledge object. 

Labels (5)
Labels
0 Karma
Reply

harishsplunk7
Explorer
‎01-31-2024 05:27 AM

we have nearly 700+ index configured in splunk and more than 1000+ sourcetypes associated with it. So  I will need to find out which index and sourcetype is not used by user in any of the savedsearch, dashboard, macro, Ad-hoc searches, alerts. I was looking into audit index for last 90 days but didnt get accurate result. 

 i  will need splunk query to get the report to show unused index and sourcetype. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 06:21 AM

Again - Splunk won't find something that's not there. Because how should it? So you need to have a list of what you expect, then you do a list of what you have and you compare both lists. You can't get it other way because how? If Splunk doesn't have something it can't tell you what it is. See the link I pointed you to.

The question is how do you compile that list.  You're saying that you have specific sourcetypes "associated" with indexes. So you should have some table. Upload this table to Splunk as lookup and use this lookup to compare with your search results.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 12:34 AM

You have to be more specific.

1. There are many index names and sourcetypes which are not used in your environment. For example, I don't think you're using index names that I use in my private lab environment at home. You have to be more specific about what you need (while with the indexes you can mean checking just all defined indexes, with sourcetypes it's not clear)

2. You can't find something that isn't there. So you must have a list against which you'll be comparing your search results.  See https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...