Splunk search for List of indexes that cannot be accessed by any users

Copy
| rest /servicesNS/-/-/data/indexes count=0 | where disabled=0 | fields title | rename title as index | join index type=left [ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index, title as role | mvexpand index | where NOT match(index,".*\*.*") ] | search role=*
This search will show any indexes that currently exist within your Splunk environment that cannot be accessed by any user roles. In order to run this search you must have the rest_properties_get capability.
0 comments

Category:

REST


Tags:

rest indexes administration

Search Commands:

Sign in or Register to submit a comment