Indexes in Splunk

For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the first line, then nameofindex,free-form description of the index on each subsequent line. You can try the search without that by removing the lookup line and removing the ‘description’ field from the fields command on the last line.

| REST /services/data/indexes | rename title as index
| search NOT index=_* NOT index=splunklogger NOT index=firedalerts NOT index=history
| sort index
| streamstats count as Row
| eval State=case(disabled==0, “Enabled”, disabled==1, “Disabled <<===")
| eval "Retention Days"=frozenTimePeriodInSecs/86400
| lookup indexdescriptions.csv index OUTPUTNEW description
| fields Row index State description "Retention Days"
Share This:


  1. George Neusse

    For those using cloud. This REST call above does NOT return ALL defined indexes. I know who knew!

    Here is the rest call to use instead. It is undocumented but should be plug and play for cloud.

    | rest /services/cluster_blaster_indexes/sh_indexes_manager/


Leave A Comment?