Splunk Enterprise Security

How do I create a list of indexes (internal & non-internal) used by users - am getting performance errors for admin role

SamHTexas
Builder

I am getting performance errors on the ES reg. many indexes used by users, specially the admin role. Any SPLs or direction is much appreciated.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Tell us more about the problem.  What "performance errors" are you getting?  What makes you think it's an index problem?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SamHTexas
Builder

Thank u for your message. The message I am getting now on ES  is " The list of indexes to be searched by default by admin role includes all non-internal indexes" that is causing the performance problem. So I need to learn how to create a list of users & indexes they are using by role & possible amount of data being ingested or so. Because we have local admin accounts aside from routine accts by user name. I hope I explained what am facing. I appreciate any SPLs or directions. Per your suggestion am using the MC very closely. We have it on distributed mode on the Ent & non-distributed mode on the ES.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That message is saying the default indexes for the admin role is too broad.  IOW, any admin that doesn't specify an index in a search will end up searching all non-internal indexes.  You know that's not good.  The fix is to remove all indexes from the default list (do that for all other roles, too).  This will force users to always specify an index name in their searches if they want to see results.  Of course, you'll want to let people know you've done that so they know to always specify an index.

---
If this reply helps you, an upvote would be appreciated.

SamHTexas
Builder

Please, is there a way to make a list of indexes each user uses. How do I make a list of internal & non -internal indexes that user roles are using. Thanks very much as usual.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no record of which indexes a user has accessed or of which users have accessed an index.

You can scrape the internal logs for searches that have been run and extract index names from them.  However, if users are using default indexes then that information will be absent from the logs.

You could ask the users what indexes they use/need, but you may find out they don't know because they haven't had to worry about it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SinghK
Contributor

| rest /services/data/indexes will give you the list of all indexes etc, there are many fields check and use as per your requirement.

0 Karma

SamHTexas
Builder

Thanks very much but this does not name indexes by name. It shows indexes like "all_shcluster_indexes". I am looking for individual index names & they are used. 

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is old answer which probably gives you a needed SPL https://community.splunk.com/t5/Dashboards-Visualizations/default-home-dashboard-for-each-specific-u...

r. Ismo

SinghK
Contributor

Sam,

the command was the base command, you will have to play with it a bit.

| rest /services/data/indexes| stats by title 

title is the field where name of index is...

0 Karma

SinghK
Contributor

but still wont tell you who is using what index..

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!