Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index hit by searches in last 30 days

splunkgk
Path Finder
‎07-24-2017 02:18 AM

Hi,

I am doing a clean up process to all of indexes and i need to know who (users) searched the indexes in last 30 days. If there is no search found to any of the index, i am going to apply retention policy on that index to keep minimum data on HOT bucket of that index.

Tried with 

index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user

But this doesn't resulted as index wise.

Could some one let me know how do i use history function to find out if anyone has run searches against the indexes all of indexes in the last 30 days so that i can apply reduction on that.

-Thanks

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-24-2017 11:40 AM

Unless your users explicitly specify index=xxx in their search, you cannot do this since there is no audit log of what indices were implicitly accessed based on a users' permissions.
You can remove all "indices searched by default" for all roles, which will force users to have to specify index=xxx in their searches, which in turn will allow you to see what was used from _audit.

0 Karma
Reply

sbbadri
Motivator
‎07-24-2017 07:00 AM

Below query will result of each user, their roles, search index allowed and search filter.

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^"), "", "") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^"), "", "") | rename title as IndexesDefault]
| stats values() as * by user
| foreach srch [eval <> = mvappend(<>, <>) | eval <> = mvfilter(match(<>, "^[^]+$"))]
| fields - Indexes

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-24-2017 11:37 AM

Cool search, but it doesn't really tell you which of the permitted indices were actually searched. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...