In the Data Utilization element, users will see the Utilization Report that lists all index sourcetype pairings found in the Splunk environment.
The table provides columns to see how this data is currently being searched in three categories:
- Ad Hoc Queries
- This column shares the number of times this index and source type have been included in an SPL search from a search box by any user
- Scheduled Queries
- This column shows how often this index sourcetype pair is searched through Scheduled Searches
- Dashboard Queries
- This column reveals how often dashboards that contain panels that utilize the index sourcetype are used by users
After selecting an index sourcetype, the bottom half of the dashboard will populate with information related to how that particular index sourcetype is being utilized
Selecting a number value will reveal a table showcasing the Users, Searches, or Dashboards that utilize the data.
Scrolling further, a user can see what SPL was executed that had the index sourcetype in the search query.
By using these tools, admins can quickly know how data is being searched in their environment, and furthermore, who is searching the data.
Searches that do not have sourcetypes in their SPL are not captured. Due to the speed improvements that sourcetypes defining brings, its recommended for admins to popularize this search methodology as well!