How to search for and remove indexes in Splunk tha...

biff09 · ‎11-12-2014

Ideally I'd like to search Splunk to determine if anyone is searching a particular index.

My use case is that I'd like to decommission an index and pretty sure no one is using it. But again, if I could convince myself that no one is using it (searching it), I'd feel better!

Thanks in advance.

aljohnson_splun · ‎11-12-2014

What you want to do is search through the _audit index.

I just tested this out and it seemed to work for me, although you may want to change the regex match in case your indexs have different names that don't match there, as in the [\w\d_]+ part.

index=_audit user=* action=search search=* "index"
| rex field=search "index=(?!_audit)(?<index_being_used>[\w\d_]+)"
| stats count by index_being_used, user

Note that I excluded the audit index from being matched with the regex. It seems obvious you'd wand that, and you could add more logic there to make your stats table a bit better too.

biff09 · ‎11-12-2014

(Realized I should have put this response here)
Thanks for the super-quick response! I'm a bit of a Splunk newb + don't have access to the audit index. I'll have to pass this query to the splunk admins.

So perhaps you can indulge me with an example? What if I was performing this search on the index named "bob", what would the full query look like?

Thanks a ton.

aljohnson_splun · ‎11-12-2014

There is also a Splunk on Splunk app that has TONS of information on indexers, performance, etc. I'm surprised you can decommission an index but can't search _audit 😛

Maybe it might look something like

index=_audit user=* action=search search=* "index\=bob" | timechart count by user
That might give you a nice way of seeing its usage, outliers, etc.

How to search for and remove indexes in Splunk that are not being used/searched by users?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!