Sample Search

index=firewall src IN (10.11.12.*) dst IN ("10.12.14.15","11.12.13.14") action!=allowed | table _time origin src dest s_port service tcp_flags action layer_name
Find all index

| eventcount summarize=false index=* 
| dedup index 
| table index

Find indexes using rest

| rest /services/data/indexes 
| table title

or using curl

curl -u admin:password https://<splunk-server>:8089/services/data/indexes \
  -k | grep "<title>"

Find indexes using tstat (slowest)

| tstats count WHERE index=* by index

PreviousInstallation NextVisual Studio Code

Last updated 25 days ago