Splunk search for Indexes that are not used
Copy
| tstats count where earliest=-90d by index | fields - count | search NOT [ index=_audit earliest=-7d latest=now action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used ]
This search will return a list of all indexes that have received data within the past 90 days but have not been searched or used in any saved searches or dashboards.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment