SPL
List of Indexes
Description
This simple Splunk query will return results for indexes that the current user (typically you) have access to:
*NOTE* depending on settings this may or may not return internal indexes.
15 27
host=* | dedup index |table index
Comments
8 total
This is resource consumming. REST or tstats would be a better choice.
| tstats values(sourcetype) where index=* by index
I prefer something like this\r\n\r\n| eventcount summarize=f index=* index=_* | dedup index | fields index
Your query is going to be slow. Your better off using dbinspect\r\n\r\n| dbinspect index=* | stats count by index
| rest splunk_server=* /services/data/indexes \r\n| fields title \r\n| dedup title
Here is my SPL\r\n| eventcount summarize=f index=* index=_* | dedup index | fields index | sort index
This one was the only one to aggregate the source type by the index in the clearest manner. Thanks
tstats is also a good option. \r\n\r\n| tstats latest(_time) as _time count where index=* OR index_* earliest=-24h latest=now by index, sourcetype, source, host
Leave a comment
You must log in to post a comment.