How to find the most searched index in splunk?

sim_tcr · ‎10-29-2015

Hello,

This would help us to increase the hot/warm buckets for them.

Thanks,
Simon Mandy

PPape · ‎10-29-2015

Hello Simon Mandy,

maybe you want to try this:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count

I hope this helps.

regards

w531t4 · ‎11-01-2017

doesn't work if user searches eventtype=blah

lakromani · ‎10-29-2015

This works fine if only one index is search, but if you have some like this:
index=cisco_firewall OR index="cp_firewall user="Garth"
Your result will only show cisco_firewall

A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*

Other than that its a nice way to see what is used in search.

PPape · ‎10-29-2015

Yes you are right.
The first problem should be solveable with the "max_match=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *_firewall you know you have to improve all of the matching indexes.

How to find the most searched index in splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life