index=_internal sourcetype=splunk_python action="handleCreate"
| stats latest(_time) as _time by loginUsername indexName
0 comments
[0]
[0]
[0]
[0]
| rest /services/data/indexes-extended
| table title currentDBSizeMB maxTotalDataSizeMB
| eval perc_full=round(currentDBSizeMB/maxTotalDataSizeMB*100, 2) | search perc_full>=75
0 comments
[0]
[0]
[0]
[0]
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as Indexes, title as Role | search Indexes=*
0 comments
[0]
[0]
[0]
[0]
| rest /servicesNS/-/-/data/indexes count=0
| where disabled=0 | fields title | rename title as index | join index type=left
[ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as index, title as role
| mvexpand index
| where NOT match(index,".*\*.*") ] | search role=*
0 comments
[0]
[0]
[0]
[0]
index=_audit user=* action=indexes_edit | stats count by user, info, index, action | fields - count
0 comments
[0]
[0]
[0]
[0]