Is it possibl to get a list of available indices ?

Question

I could then populate a dropdown list with indices :)

Somehow I could not get this done, would be cool if somebody could help me :)

I would prefer some in-splunk possibilities compared to file-parsing or CLI foo btw out of obv. reasons.

Accepted Answer

4

The most efficient way to get accurate results is probably:

| eventcount summarize=false index=* | dedup index | fields index

Just searching for index=* could be inefficient and wrong, e.g., if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of events just to discover it.

Update:

Corrected to include index=*. If you want to include internal indexes, you can use:

| eventcount summarize=false index=* index=_* | dedup index | fields index

link

answered 26 Jan '12, 07:04

gkanapathy ♦
32.4k●4●8●27
accept rate: 41%

edited 27 Jan '12, 12:26

This does not give me a list of all available indices, just the ones I set up to be searched by default or am I missing something ?

(27 Jan '12, 00:14) flo_cognosec

Gkanapathy is quite right, my search would be rubbish! @flo_cognosec, the search you need is; | eventcount summarize=false index=* | dedup index | fields index

(27 Jan '12, 04:06) Drainy

Sorry, my mistake. You need to add 'index=*' as an argument to the summarize command, as draineh did.

(27 Jan '12, 07:42) gkanapathy ♦

This will not work. Such a search will only return events indexed locally, and therefore you have the potential to miss a bunch of indexes.

index=* | dedup index | fields index

run over all time

Would be better (in terms of getting all a complete list of indexes), but is not very efficient, it will only show indexes the person running the search has access to.

I don't believe Splunk has a reliable way to get a list of all current indexes through the web GUI (even the management section can be lacking in certain cases).

(27 Jan '12, 11:00) rtadams89

2

It is not correct that you will only see local indexes. the eventcount command will return all indexes that can be searched, local or remote distributed ones. But yes, it will only list ones that are accessible to the running user. It is true that Splunk's UI, API, and Management GUI does not provide a way to bypass security restrictions to allow people to list indexes they do not have access to.

(27 Jan '12, 12:32) gkanapathy ♦

I now hardcoded the index names in a StaticSelect for performance reasons ^^ Technically not pretty but efficient and solves my problem :)

(02 Feb '12, 04:17) flo_cognosec

showing 5 of 6 show 1 more comments ▼

Answer 2

2

Have you had a look at the UI Examples app? Splunk UI examples app for 4.1+ on Splunkbase

That has some good drop down search examples, so you could just build a drop down form dashboard where the drop down is populated with the results of something like index=* and choose the index fields to get the data.

link

answered 26 Jan '12, 05:19

Drainy
8.2k●6●17
accept rate: 24%

Thanks, sometimes you just overlook the obvious :/

(26 Jan '12, 05:53) flo_cognosec

Answer 3

0	is it possible to exclude some indexes of the list link answered 04 Oct '12, 07:23 manikdham 51●4 accept rate: 0%

Is it possibl to get a list of available indices ?

Follow this question

Splunk Resources

Related questions