Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data used by searches?

whitecat001
Explorer
a month ago

I want a query that shows  the total volume of indexes used for splunk searches. Query on information that has to do with how much indexes are used based on splunk searches 

 
 
Labels (1)
Labels
0 Karma
Reply

splunkreal
Motivator
4 weeks ago

Hello @whitecat001 try this :

index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*"

| rex "index=(?P<myIndex>\w+)\s+\w+="

| stats count by myIndex
* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
4 weeks ago
Hi
That’s almost mission impossible with standard setup as you could do queries without defining any indexes into it. You could also use eventtypes etc. to hide real index names.
If you star to index all your search logs from sh side and look litesearch part then that could give to you more accurate index list?
r. Ismo
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...