Is it possible to find out what time range Splunk users are searching for? We're upgrading our multi-site cluster from 6.3.3 to 6.4.2 to take advantage of tsidx reduction feature.
http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Reducetsidxdiskusage
I need to figure out what time range users are searching for? In particular how often searches are run against data that's more than 30/60 days old in 24 hours period? How can I find out this information? What search do I need to run on CM/SHs?
↧