Splunk search for List of indexes that cannot be accessed by any users
Copy
| rest /servicesNS/-/-/data/indexes count=0
| where disabled=0 | fields title | rename title as index | join index type=left
[ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as index, title as role
| mvexpand index
| where NOT match(index,".*\*.*") ] | search role=*
This search will show any indexes that currently exist within your Splunk environment that cannot be accessed by any user roles. In order to run this search you must have the rest_properties_get capability.