Hello,
How to find the most searched index in splunk?
This would help us to increase the hot/warm buckets for them.
Thanks,
Simon Mandy
Hello Simon Mandy,
maybe you want to try this:
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count
I hope this helps.
regards
doesn't work if user searches eventtype=blah
This works fine if only one index is search, but if you have some like this:
index=cisco_firewall OR index="cp_firewall user="Garth"
Your result will only show cisco_firewall
A search like this:
index=*_firewall user="Garth"
will show up as **_firewall*
Other than that its a nice way to see what is used in search.
Yes you are right.
The first problem should be solveable with the "max_match=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *_firewall you know you have to improve all of the matching indexes.